WO2016179348A1 - Mehtod, device and server for managing user login sessions - Google Patents

Mehtod, device and server for managing user login sessions Download PDF

Info

Publication number
WO2016179348A1
WO2016179348A1 PCT/US2016/030889 US2016030889W WO2016179348A1 WO 2016179348 A1 WO2016179348 A1 WO 2016179348A1 US 2016030889 W US2016030889 W US 2016030889W WO 2016179348 A1 WO2016179348 A1 WO 2016179348A1
Authority
WO
WIPO (PCT)
Prior art keywords
login
session
user
queue
managing
Prior art date
Application number
PCT/US2016/030889
Other languages
French (fr)
Inventor
Dian XU
Original Assignee
Alibaba Group Holding Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201510229467.8A external-priority patent/CN106209744B/en
Application filed by Alibaba Group Holding Limited filed Critical Alibaba Group Holding Limited
Priority to EP16790059.6A priority Critical patent/EP3292465A4/en
Priority to JP2017553355A priority patent/JP6563515B2/en
Priority to SG11201708868XA priority patent/SG11201708868XA/en
Priority to KR1020177031892A priority patent/KR102027668B1/en
Publication of WO2016179348A1 publication Critical patent/WO2016179348A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management

Definitions

  • the present disclosure relates to the technical field of Internet technology, and particularly to a method, device and server for managing user login sessions.
  • a legitimate user can log into a website through a computing device using the user's username and password.
  • An illegitimate user may steal the user's password when the user logs into a website via a PC, and the illegitimate user may keep the legitimate user's login session on the computing device active by periodically refreshing the web page, which refreshes a login timestamp.
  • the login session can be kept active by refreshing the webpage to refresh the login timestamp.
  • the login session may be kept open by the illegitimate user even if the legitimate user changes the login password.
  • the illegitimate user can still refresh the login session timestamp by refreshing the page to keep the login session, and login status, active despite the legitimate user's password change.
  • the illegitimate user can keep the login session, and status, active without the legitimate user's knowledge or permission.
  • Embodiments of the present disclosure seek to address failings in the art and to provide a capability to effectively manage the login status of a legitimate user's login session(s).
  • each login session created by logging in using a legitimate user's user identifier (UID) can be effectively managed using a login session queue.
  • each login session that has been started by logging in using the legitimate user's UID can remain under the control of the legitimate user, thus avoiding any login security issues for the legitimate user in connection with the user's UID.
  • a method for managing user login sessions using a server is provided.
  • the method comprises querying, using a server computing device and a user ID (UID), to detect whether a login session queue corresponding to the user ID exists in a session cache list, the querying being performed after a successful login of the user with the user ID via a login medium; managing, using the server computing device, the user's login status through the login session queue, if the querying detects that the login session queue corresponding to the user ID exists in the session cache list; and storing, using the server computing device, a session ID in a login session queue corresponding to the UID in the session cache list if the querying detects an absence of the login session queue corresponding to the user ID in the session cache list.
  • UID user ID
  • a server computing device for managing user login sessions.
  • the server computing device comprising a query module querying, using a user ID, to detect whether a login session queue corresponding to the user ID exists in a session cache list, the querying being performed after a successful login of the user with the user ID via a login medium; a managing module managing the user's login status through the login session queue, if the query module detects that the login session queue corresponding to the user ID exists in the session cache list; and a first storage module storing a session ID in a login session queue corresponding to the UID in the session cache list if the query module detects an absence of the login session queue corresponding to the user ID in the session cache list.
  • a server comprising a processor a storage medium for tangibly storing thereon program logic for execution by the processor, the stored program logic comprising: querying logic executed by the processor for querying, using a user ID, to detect whether a login session queue corresponding to the user ID exists in a session cache list, the querying being performed after a successful login of the user with the user ID via a login medium; managing logic executed by the processor for managing the user's login status through the login session queue, if the querying detects that the login session queue corresponding to the user ID exists in the session cache list; and storing logic executed by the processor for storing a session ID in a login session queue corresponding to the UID in the session cache list if the querying detects an absence of the login session queue corresponding to the user ID in the session cache list.
  • embodiments of the present disclosure queries, according to the UID, whether there is any existing login session queue corresponding to the UID in the session cache list; if any, the user login status is managed through the login session queue, so that the login status created with a UID can be effectively managed by the legitimate user through the login session queue, and thus any security issues can be prevented for the legitimate user under the circumstance that the login status created with a UID is beyond the legitimate user's control.
  • FIG 1 is a flow diagram of the method for managing user login sessions according to one exemplary embodiment of the present disclosure
  • FIG. 2 is a flow diagram of the method for managing user login sessions according to another exemplary embodiment of the present disclosure
  • FIG. 3 is a flow diagram of the method for managing user login sessions according to yet another exemplary embodiment of the present disclosure
  • FIG 4A is a flow diagram of the method for managing user login sessions according to yet another exemplary embodiment of the present disclosure.
  • FIG 4B is a flow diagram of a means of realization in accordance with step 402 in the embodiment as shown in FIG 4A;
  • FIG 5 is a scene graph of the user login session management according to an exemplary embodiment of the present disclosure.
  • FIG 6 illustrates a schematic view of the structure of a server according to an exemplary embodiment of the present disclosure
  • FIG 7 illustrates a schematic view of the structure of a device for managing user login sessions according to one exemplary embodiment of the present disclosure
  • FIG 8 illustrates a schematic view of the structure of a device for managing user login sessions according to another exemplary embodiment of the present disclosure
  • FIG 9 illustrates a schematic view of the structure of a device for managing user login sessions according to yet another exemplary embodiment of the present disclosure
  • FIG. 10 illustrates a schematic view of the structure of a device for managing user login sessions according to yet another exemplary embodiment of the present disclosure
  • first, second and third' may be used herein to describe all kinds of information, the information shall not be limited to the connotation of these terms. These terms are only used to distinguish the information of the same type among each other.
  • a first information can be called a second information, and similarly a second information can be called a first information. It is determined by the context, e.g., the word “if used herein can be interpreted as "when", “while” or "in response to the determination”.
  • a login session is a process which can be begin with the user successfully logging in and can end with the user logging off or with a session expiration, the latter of which can be due to a login timeout.
  • an SID identifying a login session corresponding to the user's login can be generated, and the SID can be used to track the login session corresponding to the user's login.
  • the present disclosure queries, using the user's UID and after the user has successfully logged in with the UID through a login medium, whether there is any existing login session queue corresponding to the UID in the session cache list. If there is a login session queue
  • the user's login status is managed using the login session queue.
  • the status of a legitimate user's login with the user's UID can be effectively managed by the legitimate user through the login session queue, and thus any security issues can be prevented for the legitimate user, including the circumstance in which the status of the user's login with the user's UID would otherwise be beyond the legitimate user's control.
  • FIG 1 is illustrative of a flow diagram of a method for managing user login sessions in accordance with an exemplary embodiment of the present disclosure.
  • the session cache list is queried using the user's UID after the user has successfully logged in with the UID via a login medium to detect whether there is any existing login session queue corresponding to the UID in the session cache list. If a login session queue is detected in the session cache list, step 102 is executed. If a login session queue is not detected in the session cache list, step 103 is executed.
  • Examples of login mediums include a PC, a mobile phone, or a tablet, etc.
  • the UID can be the user's username used to log in to a website.
  • hanmei2015 is the UID registered by Han Mei on the AAA portal site, and Han Mei can log into the AAA portal site with the UID.
  • Han Mei can log into the AAA portal site through a PC browser, as well as a mobile phone browser.
  • the session cache list can be implemented through a
  • an SID can be created for this login and a mapping relationship between the UID and the SID can be established and stored in the session cache list in a login session queue corresponding to the UID.
  • a UID corresponds to a login session queue, in which the corresponding login medium (e.g., a PC, a mobile phone, a tablet, etc.), IP address, time and browser information (e.g., browser name, version number, etc.) of each login to the AAA portal site with the UID can be recorded; if the storage capacity of the login session queue is adequate, the login session queue can record all the login history about when and through what login medium the user logged into the AAA portal site with the UID.
  • the corresponding login medium e.g., a PC, a mobile phone, a tablet, etc.
  • IP address e.g., IP address
  • time and browser information e.g., browser name, version number, etc.
  • step 102 which is performed if the querying performed in step 101 detects a login session queue corresponding to the UID in the session cache list, the user's login status is managed using the login session queue corresponding to the UID detected the session cache list, and the process ends.
  • management of the login session queue can be implemented by determining whether the size of the login session queue exceeds a predetermined threshold. In another embodiment, management of the login session queue can be implemented by determining whether the storage duration of each SID in the login session queue exceeds a predetermined storage cycle. In yet another embodiment, each currently active login session in the login session queue can also be managed based on the login permission settings set by the user.
  • Han Mei personally logs into the AAA portal site with the UID hanmei2015 and this is not the first time that the hanmei2015 UID has been used by Han Mei to log in to the AAA portal site.
  • a login session queue corresponding to the hanmei2015 UID exists in the session cache list, and the current login session and a login session history of other logins to the AAA portal site with the hanmei2015 UID can be stored in the login session queue.
  • Han Mei logs into the AAA portal site with the hanmei2015 UID on a public computer but forgets to log out.
  • An illegitimate user Li Ming continues the login session, which began with Han Mei logging in to the AAA portal site with Han Mei's UID on the public computer. As discussed herein, Li Ming can continue the login session by performing a web page refresh, for example.
  • Han Mei After Han Mei is home and logs in to the AAA portal site with the hanmei2015 UID again, Han Mei can manage the login status of a login session, including the one currently being kept active by Li Ming on the public computer, through the login session queue corresponding to the hanmei2015 UID. If the login session queue indicates that Han Mei remains logged in to the AAA portal site with the hanmei2015 UID on the public computer, Han Mei can log out of the AAA portal site on the public computer, which results in the illegitimate user Li Ming being prevented from continuing to use Han Mei's login session into the AAA portal site.
  • each login session created using the UID hanmei2015 can be effectively managed by Han Mei using the login session queue, and thus any security issues can be eliminated, including the security issues associated with Han Mei's login session created with the hanmei2015 UID, which login session's status would otherwise be beyond her control.
  • step 103 which is performed if the querying performed in step 101 detects an absence of a login session queue corresponding to the UID in the session cache list, the SID corresponding to the current login of the user is stored in a login session queue in the session cache list, and the process ends.
  • Han Mei logs in to the AAA portal site with the hanmei2015 UID for the first time, which is the first UID that Han Mei uses.
  • an SID is created for the login session associated with Han Mei's login with the hanmei2015 UID, and the SID is stored in a login session queue.
  • the login session queue can be used to manage the login status of each login session associated with a login using the hanmei2015 UID.
  • At least one embodiment provided herein queries, using a UID, whether there is any existing login session queue corresponding to the UID in the session cache list and manages the user login status through the login session queue if an existing login session queue is detected.
  • the at least one embodiment enables legitimate users to effectively manage, through the login session queue, the login status of each login session created by the user logging in with the UID. Furthermore and in accordance with at least one embodiment, any security issues can be prevented or eliminated for a legitimate user, even in a case that a login session created with the UID would otherwise be beyond the legitimate user's control.
  • FIGs. 2 and 3 illustrate a storage capacity management of a login session queue in accordance with one or more embodiments of the present disclosure.
  • FIG 2 provides a flow diagram illustrating a method for managing user login sessions in accordance with at least one exemplary embodiment of the present disclosure.
  • storage capacity of a login session queue can be managed by deleting an SID in the login session queue.
  • the method in the example shown in FIG. 2 comprises steps 201-204.
  • step 201 a determination is made whether a size of a login session queue exceeds a predetermined threshold. If the login session queue's size exceeds the predetermined threshold, processing continues in step 202. If the login session queue's size does not exceed the predetermined threshold, processing continues in step 204.
  • an SID corresponding to each login session is created to record the login actions involving Han Mei's hanmei2015 UID.
  • the threshold corresponding to the size of Han Mei's login session queue can be set to a value, such as and without limitation a value of 50, so that Han Mei's login session queue can record Han Mei's login status on the AAA portal site in connection with 50 logins using the hanmei2015 UID.
  • the predetermined threshold used in accordance with at least one embodiment of the present disclosure can be reasonably determined based on various factors, such as and including user login frequency, a user rating (e.g., a login rating represented by stars, i.e., one-star, two-star, etc.), a user type (e.g., enterprise user and individual user) and a storage capacity of the cache list.
  • a user rating e.g., a login rating represented by stars, i.e., one-star, two-star, etc.
  • a user type e.g., enterprise user and individual user
  • a storage capacity of the cache list e.g., a storage capacity of the cache list.
  • a user rating e.g., a login rating represented by stars, i.e., one-star, two-star, etc.
  • a user type e.g., enterprise user and individual user
  • storage capacity of the cache list e.g., a storage capacity of the cache list.
  • each invalid login session in the login session queue is identified and each login session identified as being invalid is deleted from the login session queue, if the size of the login session queue exceeds the predetermined threshold.
  • Each invalid login session deleted from the login session queue in step 203 is stored in a first database. In one embodiment, by storing the invalid login sessions in the first database, the user can query the login status history of his/her own UID on any login medium (e.g., a PC) in the first database when the user wishes to do so. Processing ends in step 203.
  • an invalid login session in the login session queue can be determined according to preset conditions. For example, if a user's invalid login sessions are determined by the user's login time, the oldest login sessions can be deleted. As yet another example, a user's invalid login sessions can be determined by a predetermined login medium set by the user. For example, Han Mei logs into the AAA portal site with the hanmei2015 UID, and her favorite login medium is a PC. Therefore, Han Mei can set a predetermined login medium to be the PC and indicate that any login sessions with the hanmei2015 UID generated using a mobile device are to be deleted.
  • step 204 the SID corresponding to a specific login is stored in the login session queue, if the predetermined threshold has not been exceeded, and the process ends.
  • any invalid login sessions are deleted from the login session queue, so as to promptly clear the invalid login sessions in the login session queue and reduce the storage space of the session cache list by the space occupied by the invalid login session(s).
  • FIG 3 provides a flow diagram illustrating a method for managing user login sessions in yet another exemplary embodiment of the present disclosure.
  • storage capacity of a login session queue can be controlled by deleting an SID in the login session queue using a storage cycle.
  • the method in the example shown in FIG. 3 comprises steps 301-305.
  • a storage duration of each SID in the login session queue is determined. In one embodiment, if the storage cycle is, for example, set to be 1 month, each SID in the login session queue with a storage duration exceeding 1 month is regarded as an invalid login session. [0048] In step 302 each SID in the login session queue that has a storage duration not exceeding the storage cycle is considered to be an active SID in the login session queue. In step 303, each SID identified as being active in step 302 is stored in a second database.
  • steps 302 and 303 by storing the active SID in the second database, when the user wishes to perform a password change, the user's active SID can be obtained from the second database.
  • Each of the active login sessions that is to be deleted in accordance with the user's login permission settings can be deleted, and each active login session that is permitted by the login permission settings can be maintained.
  • the user is able to maintain a plurality of login sessions with the same UID on the same login medium (e.g., a PC) in accordance with the login permission settings in a Browser/Server mode (B/S mode).
  • B/S mode Browser/Server mode
  • the user is also able to permit only one login with the same UID via the same login medium.
  • the user is able to flexibly manage the login status of his/her UID.
  • each login session in the login session queue exceeding the storage cycle is determined to be an invalid login session in the login session queue.
  • each invalid login session is stored in the first database.
  • steps 304 and 305 by storing the invalid login session in the first database, regarded as a security information platform, when it is desirable to ascertain the login status of all of the user's login session, the user's invalid login sessions can be obtained from the first database. Furthermore and when it is desirable to penalize an illegitimate user, any UIDs of the illegitimate user can be taken back, so that the illegitimate user's UIDs can no longer be used by the illegitimate user, and the login status of the illegitimate user can be revoked.
  • each SID having a storage duration exceeding the predetermined storage cycle can be deleted from the login session queue, so as to promptly clear the invalid login sessions in the login session queue and reduce the storage space occupied by the invalid login sessions.
  • the embodiments shown in FIGs. 2 and 3 can be combined, so that all of a user's login sessions can be stored.
  • the storage capacity of the cache list can be maintained within a certain range. For example, if the number of active users of the AAA portal site each day is 50,000,000, then for the AAA portal site, the required storage capacity of the server is: (50,000,000 users) * (the login times per day per user) * (the storage space every login session occupies), which means that a storage capacity of at least 1024G is required.
  • the storage capacity of the session cache list can be reduced and the management of all the user logins of the AAA portal site can be implemented by the prompt deletion of SIDs in the login session queue.
  • the security management of a user's login status is undertaken in the Client/Server mode (C/S mode).
  • C/S mode Client/Server mode
  • the instant messaging tool QQ only allows one login for a login medium (e.g., a PC), and other logins from the same medium (i.e., other PCs) would be forced offline; the same UID cannot be flexibly used to simultaneously perform a plurality of logins and remain online via the same login medium.
  • Embodiments of the present disclosure are based on the B/S mode, in which the same UID can be used for a plurality of logins via the same login medium based on the user's login permission settings. Please refer to the exemplary embodiments shown in FIGs. 4A and 4B.
  • FIG 4A provides flow diagram illustrating a method for managing user login sessions according to yet another exemplary embodiment of the present disclosure.
  • the exemplary embodiment shown in FIG 4A comprises steps 401 and 402.
  • the user's login permission settings are determined after determining that the user is performing a password change via the current login medium.
  • Han Mei's login permission settings can be set according to her actual login preference. For example, Han Mei can set simultaneous logins in the office and at home as permitted through the IP address, as well as simultaneous logins on two mobile phones based on the login medium, and so on.
  • Han Mei can set simultaneous logins in the office and at home as permitted through the IP address, as well as simultaneous logins on two mobile phones based on the login medium, and so on.
  • Han Mei can set login permission according to login medium (e.g., a PC, a mobile phone, a tablet, etc.), IP address, time and browser information (e.g., browser name, version number, etc.) to be recorded in the login session queue, so that Han Mei can have personalized login permission settings.
  • login medium e.g., a PC, a mobile phone, a tablet, etc.
  • IP address e.g., IP address
  • time and browser information e.g., browser name, version number, etc.
  • step 402 the active login sessions in the login session queue are managed based on the user's login permission settings.
  • Han Mei's login permission settings specify that only certain IP addresses from the office and home are permitted.
  • the login session is deleted, forcing the illegitimate user offline, thereby enabling Han Mei to have control over logins from the different IP address, and avoiding any login security issues.
  • FIG 4B provides a flow diagram illustrating an implementation in accordance with step 402 in the embodiment as shown in FIG 4A, wherein step 402 may comprise steps 411 and 412 of Figure 4B.
  • each currently active login session in the login session queue is identified.
  • each currently active login session that is permitted by the user's login permission settings is kept and each currently active login session that is not permitted by the user's login permission settings is deleted.
  • Han Mei sets the school IP address as unpermitted, thus, when it is detected that the school IP address is recorded in the login session queue, the SID of login at the school IP address will be deleted, so that Li Lei's school login status is deleted and Li Lei is forced offline.
  • the login session associated with Li Lei logging in to the AAA portal site through the school IP address can be within Han Mei's control and Han Mei's management of her login status is improved.
  • the login permission can be set according to login media (e.g., a PC, a mobile phone, a tablet, etc.), IP address, time and browser information (e.g., browser name, version number, etc.) corresponding to the UIDs recorded in the login session queue, thereby personalizing login permission settings according to the preset login permission settings, improving the flexibility in managing the user's login status.
  • login media e.g., a PC, a mobile phone, a tablet, etc.
  • IP address e.g., IP address, time and browser information (e.g., browser name, version number, etc.) corresponding to the UIDs recorded in the login session queue, thereby personalizing login permission settings according to the preset login permission settings, improving the flexibility in managing the user's login status.
  • FIG. 5 provides a scene graph of a user's login session management according to an exemplary embodiment of the present disclosure.
  • the exemplary embodiment of FIG. 5 comprises steps 501-512.
  • step 501 a user logs in with a UID via a login medium.
  • the user can be directed to corresponding transactions.
  • the embodiments of the present disclosure do not describe these corresponding transactions in detail.
  • step 502 an SID is created for the user's login.
  • step 503 the session cache list is queried using the user's UID.
  • step 504 a determination is made whether there is any existing login session queue corresponding to the UID in the session cache list. If it is determined, in step 504, that a login session queue corresponding to the UID exists in the session cache list, execution proceeds to step 505. If it is determined, in step 504, that a login session queue corresponding to the UID does not exist in the session cache list, execution proceeds to step 508.
  • step 505 the login session queue corresponding to the UID is obtained from the cache list.
  • step 506 a determination is made whether the size of the login session queue exceeds a predetermined threshold. If the size of the login session queue exceeds a predetermined threshold, executing proceeds to step 507. Otherwise, execution proceeds to step 508.
  • step 507 each invalid login session in the login session queue is identified.
  • step 510 each invalid login session identified in step 507 is deleted from the login session queue and stored in the first database. Processing ends.
  • step 508 a new login session corresponding to the UID is created and stored in the cache list.
  • step 509 a determination is made whether the storage duration of any SID in the login session queue exceeds the predetermined storage cycle.
  • Each SID with an associated storage duration exceeding the storage cycle period is stored in the first database and each SID with an associated storage during not exceeding the storage cycle is stored in the second database. Processing ends.
  • each currently-active login session is retrieved from the second database when the user is detected as performing a password change operation.
  • the currently-active login sessions retrieved from the second database are managed. Any login sessions that are not permitted by the user's login permission settings are deleted.
  • the user can obtain all login status for a given UID on all login media (e.g., a PC, a mobile phone) through the login session queue, including the active and invalid logins.
  • a plurality of simultaneous logins with the same UID via the same login medium e.g., a PC
  • Embodiments of the present disclosure also enable the login via the current login medium to remain valid while forcing the logins via other login media offline when the user is detected to be performing a password change.
  • the present disclosure also discloses a schematic view of the structure of a server in accordance with an exemplary embodiment of the disclosure, shown in FIG. 6.
  • the server comprises a processor, an internal bus, a network interface, a memory and a nonvolatile memory.
  • the server may include other hardware.
  • the processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs the program, and thus logically forms a device for managing user login sessions.
  • a software In addition to a software
  • FIG 7 provides an illustration of a schematic view of the structure of a device for managing user login sessions in accordance with one exemplary embodiment of the disclosure.
  • the device for managing the login sessions can comprise a query module 71, a managing module 72 and a first storage module 73.
  • the query module 71 queries, using the UID and after the user has successfully logged in with the UID via a login medium, whether there is any existing login session queue
  • the managing module 72 manages the user login status through the login session queue if the query module 71 detects that there is an existing login session queue.
  • the first storage module 73 stores the SID corresponding to the new login in the session cache list in the form of a login session queue if the query module 71 detects that there is no existing login session queue.
  • FIG. 8 provides an example of a schematic view of the structure of a device for managing user login sessions according to another exemplary embodiment of the present disclosure.
  • the device shown in FIG. 7 can further comprise a creation module 74, which is used to create an SID for this login for the user, an establishment module 75, which is used to establish the mapping relationship between the UID and the SID is created by the creation module 74.
  • the mapping relationship is established by the establishment module 75 for the query module 71, to query, according to the UID, the login session queue in the session cache list.
  • the managing module 72 can comprise a first determination unit 721, a second determination unit 722 and a storage unit 723.
  • the first determination unit 721 determines whether the size of the login session queue detected by the query module 71 exceeds the predetermined threshold.
  • determination unit 722 identifies any invalid login sessions in the login session queue and deletes any invalid login session(s) from the login session queue, if the first determination unit 721 determines that the login session queue's size exceeds the predetermined threshold.
  • the storage unit 723 stores the SID corresponding to the new login in the login session queue, if the first determination unit 721 determines that the size of the login session queue does not exceed the predetermined threshold.
  • the device can further comprises a second storage module 76 to store the invalid login session identified by the second determination unit 722 in the first database.
  • FIG 9 provides an example of a schematic view of a structure of a device for managing user login sessions in accordance with yet another exemplary embodiment of the present disclosure.
  • the managing module 72 shown in FIG 7 can comprise a third determination unit 724, a fourth determination unit 725 and a deletion unit 726.
  • the third determination unit 724 determines whether the storage duration of each login SID in the login session queue detected by the first query module exceeds the predetermined storage cycle.
  • the fourth determination unit 725 identifies each SID (determined by the third determination unit 724) having a storage duration exceeding the predetermined storage cycle in the login session queue as an invalid login session in the login session queue.
  • the deletion unit 726 deletes each invalid login session identified by the fourth determination unit 725 from the login session queue.
  • the device can further comprise a third storage module 77 to store, in the first database, each invalid login session deleted by the deletion unit 726.
  • the device can further comprise a first determination module 78 to determine each SID (detected by the query module 71) having a storage duration not exceeding the predetermined storage cycle in the login session queue as an active SID, and a fourth storage module 79 to store each active SID determined by the first determination module 78 in the second database.
  • FIG. 10 provides an example of a schematic view of the structure of a device for managing user login sessions in accordance with yet another exemplary embodiment of the present disclosure.
  • the managing module 72 shown in FIG 7 can comprise a fifth determination unit 726 to determine the user's login permission settings after detecting that the user is performing a password change via the current login medium, and a managing unit 727 to manage the currently-active login sessions in the login session queue according to the login permission settings determined by the fifth determination unit 726.
  • the managing module 727 can comprise a determination subunit 7271 to determine the currently-active login sessions in the login session queue, and a managing subunit 7272, to keep the permitted SID in the login session queue and delete the unpermitted SID in accordance with the login permission settings determined by determination subunit 7271.
  • the embodiments of the present disclosure can realize security management of the login sessions based on the Browser/Server mode with various major websites, enabling a legitimate user to effectively manage, using a login session queue corresponding with a UID, the status of login sessions created using the UID, and preventing the login sessions created by logging in with the same UID from being beyond the legitimate user's control, thus avoiding login security issues. Additionally, the storage space of the session cache list occupied by the invalid login session(s) can be reduced by promptly deleting the invalid login session(s).

Abstract

The present disclosure provides a method, device and server for managing user login sessions. A session cache list is queried, using a user ID and after a user has successfully logged in with the user ID via the login medium, whether a login session queue corresponding to the user ID exists in the session cache list. If the login session queue exists in the session cache list, a user login status is managed through the login session queue. If the login session queue corresponding to the user ID is absent from the session cache list, a session ID corresponding to the user's login is stored in a login session queue corresponding to the user ID in the session cache list. A legitimate user is able to effectively manage each login created with the user's user ID through the login session queue, and to prevent any login sessions created when the user ID is used to log in from being beyond the legitimate user's control.

Description

METHOD, DEVICE AND SERVER FOR MANAGING USER LOGIN SESSIONS
Cross Reference to Related Application
[0001] This application claims the benefit of Chinese Patent Application No. 201510229467.8, entitled "Method of User Login Session Management, Apparatus Thereof and Server", filed May 7, 2015, and U.S. Non Provisional Application No. 15/146,074, entitled "Method, Device and Server for Managing User Login Sessions", filed May 4, 2016, which are hereby incorporated by reference herein in its entirety.
Technical Field
[0002] The present disclosure relates to the technical field of Internet technology, and particularly to a method, device and server for managing user login sessions.
Background
[0003] In the prior art, a legitimate user can log into a website through a computing device using the user's username and password. An illegitimate user may steal the user's password when the user logs into a website via a PC, and the illegitimate user may keep the legitimate user's login session on the computing device active by periodically refreshing the web page, which refreshes a login timestamp. The login session can be kept active by refreshing the webpage to refresh the login timestamp. The login session may be kept open by the illegitimate user even if the legitimate user changes the login password. The illegitimate user can still refresh the login session timestamp by refreshing the page to keep the login session, and login status, active despite the legitimate user's password change. The illegitimate user can keep the login session, and status, active without the legitimate user's knowledge or permission.
Summary
[0004] It would be beneficial to provide control over a legitimate user's login status.
Embodiments of the present disclosure seek to address failings in the art and to provide a capability to effectively manage the login status of a legitimate user's login session(s). In accordance with one or more embodiments of the present disclosure, each login session created by logging in using a legitimate user's user identifier (UID) can be effectively managed using a login session queue. Furthermore, each login session that has been started by logging in using the legitimate user's UID can remain under the control of the legitimate user, thus avoiding any login security issues for the legitimate user in connection with the user's UID. [0005] According to an aspect of the present disclosure, a method for managing user login sessions using a server is provided. The method comprises querying, using a server computing device and a user ID (UID), to detect whether a login session queue corresponding to the user ID exists in a session cache list, the querying being performed after a successful login of the user with the user ID via a login medium; managing, using the server computing device, the user's login status through the login session queue, if the querying detects that the login session queue corresponding to the user ID exists in the session cache list; and storing, using the server computing device, a session ID in a login session queue corresponding to the UID in the session cache list if the querying detects an absence of the login session queue corresponding to the user ID in the session cache list.
[0006] According to another aspect of the present disclosure, a server computing device for managing user login sessions is provided. The server computing device comprising a query module querying, using a user ID, to detect whether a login session queue corresponding to the user ID exists in a session cache list, the querying being performed after a successful login of the user with the user ID via a login medium; a managing module managing the user's login status through the login session queue, if the query module detects that the login session queue corresponding to the user ID exists in the session cache list; and a first storage module storing a session ID in a login session queue corresponding to the UID in the session cache list if the query module detects an absence of the login session queue corresponding to the user ID in the session cache list.
[0007] According to yet another aspect of the present disclosure a server is provided. The server comprising a processor a storage medium for tangibly storing thereon program logic for execution by the processor, the stored program logic comprising: querying logic executed by the processor for querying, using a user ID, to detect whether a login session queue corresponding to the user ID exists in a session cache list, the querying being performed after a successful login of the user with the user ID via a login medium; managing logic executed by the processor for managing the user's login status through the login session queue, if the querying detects that the login session queue corresponding to the user ID exists in the session cache list; and storing logic executed by the processor for storing a session ID in a login session queue corresponding to the UID in the session cache list if the querying detects an absence of the login session queue corresponding to the user ID in the session cache list.
[0008] It is thus clear from the above technical scheme that embodiments of the present disclosure queries, according to the UID, whether there is any existing login session queue corresponding to the UID in the session cache list; if any, the user login status is managed through the login session queue, so that the login status created with a UID can be effectively managed by the legitimate user through the login session queue, and thus any security issues can be prevented for the legitimate user under the circumstance that the login status created with a UID is beyond the legitimate user's control.
Brief Description of the Drawings
[0009] FIG 1 is a flow diagram of the method for managing user login sessions according to one exemplary embodiment of the present disclosure;
[0010] FIG. 2 is a flow diagram of the method for managing user login sessions according to another exemplary embodiment of the present disclosure;
[0011] FIG. 3 is a flow diagram of the method for managing user login sessions according to yet another exemplary embodiment of the present disclosure;
[0012] FIG 4A is a flow diagram of the method for managing user login sessions according to yet another exemplary embodiment of the present disclosure;
[0013] FIG 4B is a flow diagram of a means of realization in accordance with step 402 in the embodiment as shown in FIG 4A;
[0014] FIG 5 is a scene graph of the user login session management according to an exemplary embodiment of the present disclosure;
[0015] FIG 6 illustrates a schematic view of the structure of a server according to an exemplary embodiment of the present disclosure;
[0016] FIG 7 illustrates a schematic view of the structure of a device for managing user login sessions according to one exemplary embodiment of the present disclosure;
[0017] FIG 8 illustrates a schematic view of the structure of a device for managing user login sessions according to another exemplary embodiment of the present disclosure;
[0018] FIG 9 illustrates a schematic view of the structure of a device for managing user login sessions according to yet another exemplary embodiment of the present disclosure;
[0019] FIG. 10 illustrates a schematic view of the structure of a device for managing user login sessions according to yet another exemplary embodiment of the present disclosure;
Detailed Description
[0020] A detailed description of the exemplary embodiments is disclosed herein with examples shown in the Figures. In the following description and in connection with the Figures, unless otherwise specified, the same number in different Figures represents the same or similar element. The following exemplary embodiments do not represent all the embodiments of the present disclosure. On the contrary, the embodiments are intended to be exemplary and to provide examples of a device and method corresponding to some aspects of the present disclosure as described in the Claims.
[0021] The terms used in the present disclosure are only for the purpose of describing specified embodiments, instead of limiting the present disclosure. The singular form "a", "the" and "said" in the present disclosure and the appended Claims are to be construed to include the plural form, unless otherwise clearly indicated in the context. In addition, the term "and/or" used herein represents and includes any combination or all the possible combinations of one or a plurality of associated listed items.
[0022] It should be understood that although the terms such as "first", "second" and "third' may be used herein to describe all kinds of information, the information shall not be limited to the connotation of these terms. These terms are only used to distinguish the information of the same type among each other. For example, without departing from the scope of the present disclosure, a first information can be called a second information, and similarly a second information can be called a first information. It is determined by the context, e.g., the word "if used herein can be interpreted as "when", "while" or "in response to the determination".
[0023] In accordance with one or more embodiments, when a user browses a website, a login session is a process which can be begin with the user successfully logging in and can end with the user logging off or with a session expiration, the latter of which can be due to a login timeout. During the process, an SID identifying a login session corresponding to the user's login can be generated, and the SID can be used to track the login session corresponding to the user's login.
[0024] The present disclosure queries, using the user's UID and after the user has successfully logged in with the UID through a login medium, whether there is any existing login session queue corresponding to the UID in the session cache list. If there is a login session queue
corresponding to the user's UID in the session cache list, the user's login status is managed using the login session queue. In so doing, the status of a legitimate user's login with the user's UID can be effectively managed by the legitimate user through the login session queue, and thus any security issues can be prevented for the legitimate user, including the circumstance in which the status of the user's login with the user's UID would otherwise be beyond the legitimate user's control.
[0025] In order to further describe the present disclosure, the following embodiments are herein provided.
[0026] FIG 1 is illustrative of a flow diagram of a method for managing user login sessions in accordance with an exemplary embodiment of the present disclosure. [0027] In step 101, the session cache list is queried using the user's UID after the user has successfully logged in with the UID via a login medium to detect whether there is any existing login session queue corresponding to the UID in the session cache list. If a login session queue is detected in the session cache list, step 102 is executed. If a login session queue is not detected in the session cache list, step 103 is executed.
[0028] Examples of login mediums, in accordance with at least one embodiment, include a PC, a mobile phone, or a tablet, etc. In one embodiment, the UID can be the user's username used to log in to a website. For example, hanmei2015 is the UID registered by Han Mei on the AAA portal site, and Han Mei can log into the AAA portal site with the UID. In one embodiment, Han Mei can log into the AAA portal site through a PC browser, as well as a mobile phone browser.
[0029] In one embodiment, the session cache list can be implemented through a
high-performance TAIR cache, so as to store the user login session from the user's perspective. In one embodiment, when the user logs into the AAA portal site, an SID can be created for this login and a mapping relationship between the UID and the SID can be established and stored in the session cache list in a login session queue corresponding to the UID. In one embodiment, a UID corresponds to a login session queue, in which the corresponding login medium (e.g., a PC, a mobile phone, a tablet, etc.), IP address, time and browser information (e.g., browser name, version number, etc.) of each login to the AAA portal site with the UID can be recorded; if the storage capacity of the login session queue is adequate, the login session queue can record all the login history about when and through what login medium the user logged into the AAA portal site with the UID.
[0030] In step 102, which is performed if the querying performed in step 101 detects a login session queue corresponding to the UID in the session cache list, the user's login status is managed using the login session queue corresponding to the UID detected the session cache list, and the process ends.
[0031] In one embodiment, management of the login session queue can be implemented by determining whether the size of the login session queue exceeds a predetermined threshold. In another embodiment, management of the login session queue can be implemented by determining whether the storage duration of each SID in the login session queue exceeds a predetermined storage cycle. In yet another embodiment, each currently active login session in the login session queue can also be managed based on the login permission settings set by the user.
[0032] For example, Han Mei personally logs into the AAA portal site with the UID hanmei2015 and this is not the first time that the hanmei2015 UID has been used by Han Mei to log in to the AAA portal site. A login session queue corresponding to the hanmei2015 UID exists in the session cache list, and the current login session and a login session history of other logins to the AAA portal site with the hanmei2015 UID can be stored in the login session queue. Han Mei logs into the AAA portal site with the hanmei2015 UID on a public computer but forgets to log out. An illegitimate user Li Ming continues the login session, which began with Han Mei logging in to the AAA portal site with Han Mei's UID on the public computer. As discussed herein, Li Ming can continue the login session by performing a web page refresh, for example.
[0033] After Han Mei is home and logs in to the AAA portal site with the hanmei2015 UID again, Han Mei can manage the login status of a login session, including the one currently being kept active by Li Ming on the public computer, through the login session queue corresponding to the hanmei2015 UID. If the login session queue indicates that Han Mei remains logged in to the AAA portal site with the hanmei2015 UID on the public computer, Han Mei can log out of the AAA portal site on the public computer, which results in the illegitimate user Li Ming being prevented from continuing to use Han Mei's login session into the AAA portal site. Therefore, each login session created using the UID hanmei2015 can be effectively managed by Han Mei using the login session queue, and thus any security issues can be eliminated, including the security issues associated with Han Mei's login session created with the hanmei2015 UID, which login session's status would otherwise be beyond her control.
[0034] In step 103, which is performed if the querying performed in step 101 detects an absence of a login session queue corresponding to the UID in the session cache list, the SID corresponding to the current login of the user is stored in a login session queue in the session cache list, and the process ends.
[0035] For example, Han Mei logs in to the AAA portal site with the hanmei2015 UID for the first time, which is the first UID that Han Mei uses. As a result, an SID is created for the login session associated with Han Mei's login with the hanmei2015 UID, and the SID is stored in a login session queue. As discussed in connection with step 102, for example, the login session queue can be used to manage the login status of each login session associated with a login using the hanmei2015 UID.
[0036] At least one embodiment provided herein queries, using a UID, whether there is any existing login session queue corresponding to the UID in the session cache list and manages the user login status through the login session queue if an existing login session queue is detected.
The at least one embodiment enables legitimate users to effectively manage, through the login session queue, the login status of each login session created by the user logging in with the UID. Furthermore and in accordance with at least one embodiment, any security issues can be prevented or eliminated for a legitimate user, even in a case that a login session created with the UID would otherwise be beyond the legitimate user's control.
[0037] In order to effectively manage each login status of each login session of each user of a large number of users in connection with a number of different major websites, a large storage capacity is needed. In order to reasonably store a login session queue corresponding to each UID for which the login status is being managed using a login session queue, embodiments of the present disclosure solve the problem of storage capacity of the session cache list. FIGs. 2 and 3 illustrate a storage capacity management of a login session queue in accordance with one or more embodiments of the present disclosure.
[0038] FIG 2 provides a flow diagram illustrating a method for managing user login sessions in accordance with at least one exemplary embodiment of the present disclosure. In accordance with the at least one exemplary embodiment, storage capacity of a login session queue can be managed by deleting an SID in the login session queue. The method in the example shown in FIG. 2 comprises steps 201-204.
[0039] In step 201, a determination is made whether a size of a login session queue exceeds a predetermined threshold. If the login session queue's size exceeds the predetermined threshold, processing continues in step 202. If the login session queue's size does not exceed the predetermined threshold, processing continues in step 204.
[0040] For example, in response to use of Han Mei's hanmei2015 UID in a series of login actions on the AAA portal site, an SID corresponding to each login session is created to record the login actions involving Han Mei's hanmei2015 UID. In order to ensure that there is adequate storage capacity for Han Mei's login session queue, the threshold corresponding to the size of Han Mei's login session queue can be set to a value, such as and without limitation a value of 50, so that Han Mei's login session queue can record Han Mei's login status on the AAA portal site in connection with 50 logins using the hanmei2015 UID.
[0041] In one embodiment, the predetermined threshold used in accordance with at least one embodiment of the present disclosure can be reasonably determined based on various factors, such as and including user login frequency, a user rating (e.g., a login rating represented by stars, i.e., one-star, two-star, etc.), a user type (e.g., enterprise user and individual user) and a storage capacity of the cache list. For example, an average login frequency of user A is once every day, and an average login frequency of user B is ten times every day. A login rating of user A is five-star (high rating), and a login rating of user B is one-star. A user type of user A is an enterprise user, and a user type of user B is individual user. In such a scenario, the corresponding threshold settings of user A and user B are likely to be different, and when the factors to which user A and user B correspond respectively change, the respective threshold settings can be adjusted to flexibly manage each user's login status.
[0042] In step 202, each invalid login session in the login session queue is identified and each login session identified as being invalid is deleted from the login session queue, if the size of the login session queue exceeds the predetermined threshold. Each invalid login session deleted from the login session queue in step 203 is stored in a first database. In one embodiment, by storing the invalid login sessions in the first database, the user can query the login status history of his/her own UID on any login medium (e.g., a PC) in the first database when the user wishes to do so. Processing ends in step 203.
[0043] In one embodiment, an invalid login session in the login session queue can be determined according to preset conditions. For example, if a user's invalid login sessions are determined by the user's login time, the oldest login sessions can be deleted. As yet another example, a user's invalid login sessions can be determined by a predetermined login medium set by the user. For example, Han Mei logs into the AAA portal site with the hanmei2015 UID, and her favorite login medium is a PC. Therefore, Han Mei can set a predetermined login medium to be the PC and indicate that any login sessions with the hanmei2015 UID generated using a mobile device are to be deleted.
[0044] In step 204, the SID corresponding to a specific login is stored in the login session queue, if the predetermined threshold has not been exceeded, and the process ends.
[0045] In this embodiment, by comparing the size of the login session queue and the
predetermined threshold, when the size of the login session queue exceeds the predetermined threshold, any invalid login sessions are deleted from the login session queue, so as to promptly clear the invalid login sessions in the login session queue and reduce the storage space of the session cache list by the space occupied by the invalid login session(s).
[0046] FIG 3 provides a flow diagram illustrating a method for managing user login sessions in yet another exemplary embodiment of the present disclosure. In accordance with at least one exemplary embodiment, storage capacity of a login session queue can be controlled by deleting an SID in the login session queue using a storage cycle. The method in the example shown in FIG. 3 comprises steps 301-305.
[0047] In step 301, a storage duration of each SID in the login session queue is determined. In one embodiment, if the storage cycle is, for example, set to be 1 month, each SID in the login session queue with a storage duration exceeding 1 month is regarded as an invalid login session. [0048] In step 302 each SID in the login session queue that has a storage duration not exceeding the storage cycle is considered to be an active SID in the login session queue. In step 303, each SID identified as being active in step 302 is stored in a second database.
[0049] In steps 302 and 303, by storing the active SID in the second database, when the user wishes to perform a password change, the user's active SID can be obtained from the second database. Each of the active login sessions that is to be deleted in accordance with the user's login permission settings can be deleted, and each active login session that is permitted by the login permission settings can be maintained. The user is able to maintain a plurality of login sessions with the same UID on the same login medium (e.g., a PC) in accordance with the login permission settings in a Browser/Server mode (B/S mode). The user is also able to permit only one login with the same UID via the same login medium. The user is able to flexibly manage the login status of his/her UID.
[0050] In step 304, each login session in the login session queue exceeding the storage cycle is determined to be an invalid login session in the login session queue. In step 305, each invalid login session is stored in the first database.
[0051] In steps 304 and 305, by storing the invalid login session in the first database, regarded as a security information platform, when it is desirable to ascertain the login status of all of the user's login session, the user's invalid login sessions can be obtained from the first database. Furthermore and when it is desirable to penalize an illegitimate user, any UIDs of the illegitimate user can be taken back, so that the illegitimate user's UIDs can no longer be used by the illegitimate user, and the login status of the illegitimate user can be revoked.
[0052] In the exemplary embodiment of FIG 3, by comparing the storage duration of each SID in the login session queue with the predetermined storage cycle, when the storage duration of the login session queue exceeds the predetermined storage cycle, each SID having a storage duration exceeding the predetermined storage cycle can be deleted from the login session queue, so as to promptly clear the invalid login sessions in the login session queue and reduce the storage space occupied by the invalid login sessions.
[0053] In accordance with one or more embodiments of the present disclosure, the embodiments shown in FIGs. 2 and 3 can be combined, so that all of a user's login sessions can be stored. By deleting stored SIDs in accordance with the methods shown in FIGs. 2 and 3, the storage capacity of the cache list can be maintained within a certain range. For example, if the number of active users of the AAA portal site each day is 50,000,000, then for the AAA portal site, the required storage capacity of the server is: (50,000,000 users) * (the login times per day per user) * (the storage space every login session occupies), which means that a storage capacity of at least 1024G is required. In the embodiment of the present disclosure, the storage capacity of the session cache list can be reduced and the management of all the user logins of the AAA portal site can be implemented by the prompt deletion of SIDs in the login session queue.
[0054] In the prior art, the security management of a user's login status is undertaken in the Client/Server mode (C/S mode). For example, the instant messaging tool QQ only allows one login for a login medium (e.g., a PC), and other logins from the same medium (i.e., other PCs) would be forced offline; the same UID cannot be flexibly used to simultaneously perform a plurality of logins and remain online via the same login medium. Embodiments of the present disclosure are based on the B/S mode, in which the same UID can be used for a plurality of logins via the same login medium based on the user's login permission settings. Please refer to the exemplary embodiments shown in FIGs. 4A and 4B.
[0055] FIG 4A provides flow diagram illustrating a method for managing user login sessions according to yet another exemplary embodiment of the present disclosure. The exemplary embodiment shown in FIG 4A comprises steps 401 and 402.
[0056] In step 401, the user's login permission settings are determined after determining that the user is performing a password change via the current login medium. In one embodiment, Han Mei's login permission settings can be set according to her actual login preference. For example, Han Mei can set simultaneous logins in the office and at home as permitted through the IP address, as well as simultaneous logins on two mobile phones based on the login medium, and so on. Those skilled in the art can well understand that the foregoing login location, login medium and corresponding numbers are only for exemplary descriptive purposes. Han Mei can set login permission according to login medium (e.g., a PC, a mobile phone, a tablet, etc.), IP address, time and browser information (e.g., browser name, version number, etc.) to be recorded in the login session queue, so that Han Mei can have personalized login permission settings.
[0057] In step 402, the active login sessions in the login session queue are managed based on the user's login permission settings. In one embodiment, for example, Han Mei's login permission settings specify that only certain IP addresses from the office and home are permitted. When Han Mei's UID is detected to have been used to log in from a different IP address, the login session is deleted, forcing the illegitimate user offline, thereby enabling Han Mei to have control over logins from the different IP address, and avoiding any login security issues. [0058] FIG 4B provides a flow diagram illustrating an implementation in accordance with step 402 in the embodiment as shown in FIG 4A, wherein step 402 may comprise steps 411 and 412 of Figure 4B.
[0059] In step 411 of FIG 4B, each currently active login session in the login session queue is identified. In step 412, each currently active login session that is permitted by the user's login permission settings is kept and each currently active login session that is not permitted by the user's login permission settings is deleted.
[0060] For example, there are 3 SIDs respectively for home, office and school in Han Mei's current login session queue. Since Han Mei has preset permission for simultaneous logins in the office and at home, the login sessions corresponding to the home IP address and office IP address are permitted to log in, but the SID corresponding to the school will be deleted from the login session queue, denying Han Mei's UID login at school, or preventing Han Mei's child Li Lei from logging into the AAA portal site with Han Mei's UID. Han Mei sets the school IP address as unpermitted, thus, when it is detected that the school IP address is recorded in the login session queue, the SID of login at the school IP address will be deleted, so that Li Lei's school login status is deleted and Li Lei is forced offline. Thus, the login session associated with Li Lei logging in to the AAA portal site through the school IP address can be within Han Mei's control and Han Mei's management of her login status is improved.
[0061] In accordance with at least one embodiment, the login permission can be set according to login media (e.g., a PC, a mobile phone, a tablet, etc.), IP address, time and browser information (e.g., browser name, version number, etc.) corresponding to the UIDs recorded in the login session queue, thereby personalizing login permission settings according to the preset login permission settings, improving the flexibility in managing the user's login status.
[0062] FIG. 5 provides a scene graph of a user's login session management according to an exemplary embodiment of the present disclosure. The exemplary embodiment of FIG. 5 comprises steps 501-512.
[0063] In step 501 , a user logs in with a UID via a login medium. In addition, having successfully logged in, the user can be directed to corresponding transactions. In order to highlight the object of the present disclosure, the embodiments of the present disclosure do not describe these corresponding transactions in detail.
[0064] In step 502, an SID is created for the user's login. In step 503, the session cache list is queried using the user's UID. In step 504, a determination is made whether there is any existing login session queue corresponding to the UID in the session cache list. If it is determined, in step 504, that a login session queue corresponding to the UID exists in the session cache list, execution proceeds to step 505. If it is determined, in step 504, that a login session queue corresponding to the UID does not exist in the session cache list, execution proceeds to step 508.
[0065] In step 505, the login session queue corresponding to the UID is obtained from the cache list. In step 506, a determination is made whether the size of the login session queue exceeds a predetermined threshold. If the size of the login session queue exceeds a predetermined threshold, executing proceeds to step 507. Otherwise, execution proceeds to step 508.
[0066] In step 507, each invalid login session in the login session queue is identified. In step 510, each invalid login session identified in step 507 is deleted from the login session queue and stored in the first database. Processing ends.
[0067] In step 508, a new login session corresponding to the UID is created and stored in the cache list. In step 509, a determination is made whether the storage duration of any SID in the login session queue exceeds the predetermined storage cycle. Each SID with an associated storage duration exceeding the storage cycle period is stored in the first database and each SID with an associated storage during not exceeding the storage cycle is stored in the second database. Processing ends.
[0068] In step 511, each currently-active login session is retrieved from the second database when the user is detected as performing a password change operation. In step 512, the currently-active login sessions retrieved from the second database are managed. Any login sessions that are not permitted by the user's login permission settings are deleted.
[0069] By managing the user SIDs as described above and in the B/S mode, the user can obtain all login status for a given UID on all login media (e.g., a PC, a mobile phone) through the login session queue, including the active and invalid logins. Moreover, in the B/S mode, according to the embodiments of the present disclosure, a plurality of simultaneous logins with the same UID via the same login medium (e.g., a PC) can be achieved by managing the login permission settings; or, only one login with the same UID via the same login medium may be permitted, while all other logins via other media are forced offline. Embodiments of the present disclosure also enable the login via the current login medium to remain valid while forcing the logins via other login media offline when the user is detected to be performing a password change.
[0070] Corresponding to the above method for managing user login sessions, the present disclosure also discloses a schematic view of the structure of a server in accordance with an exemplary embodiment of the disclosure, shown in FIG. 6. In terms of hardware, the server comprises a processor, an internal bus, a network interface, a memory and a nonvolatile memory. The server may include other hardware. The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs the program, and thus logically forms a device for managing user login sessions. In addition to a software
implementation, it is natural that the present disclosure does not exclude other means of implementation, such as a logic device or a combination of software and hardware. In other words, rather than being limited to the respective logic units, the subject of the following processes can also be hardware or a logic device, for example.
[0071] FIG 7 provides an illustration of a schematic view of the structure of a device for managing user login sessions in accordance with one exemplary embodiment of the disclosure. In a software implementation, the device for managing the login sessions can comprise a query module 71, a managing module 72 and a first storage module 73.
[0072] The query module 71 queries, using the UID and after the user has successfully logged in with the UID via a login medium, whether there is any existing login session queue
corresponding to the UID in the session cache list. The managing module 72 manages the user login status through the login session queue if the query module 71 detects that there is an existing login session queue. The first storage module 73 stores the SID corresponding to the new login in the session cache list in the form of a login session queue if the query module 71 detects that there is no existing login session queue.
[0073] FIG. 8 provides an example of a schematic view of the structure of a device for managing user login sessions according to another exemplary embodiment of the present disclosure. In the exemplary embodiments shown in FIG 8, the device shown in FIG. 7 can further comprise a creation module 74, which is used to create an SID for this login for the user, an establishment module 75, which is used to establish the mapping relationship between the UID and the SID is created by the creation module 74. The mapping relationship is established by the establishment module 75 for the query module 71, to query, according to the UID, the login session queue in the session cache list.
[0074] In one embodiment, the managing module 72 can comprise a first determination unit 721, a second determination unit 722 and a storage unit 723.
[0075] The first determination unit 721 determines whether the size of the login session queue detected by the query module 71 exceeds the predetermined threshold. The second
determination unit 722 identifies any invalid login sessions in the login session queue and deletes any invalid login session(s) from the login session queue, if the first determination unit 721 determines that the login session queue's size exceeds the predetermined threshold. The storage unit 723 stores the SID corresponding to the new login in the login session queue, if the first determination unit 721 determines that the size of the login session queue does not exceed the predetermined threshold.
[0076] In one embodiment, the device can further comprises a second storage module 76 to store the invalid login session identified by the second determination unit 722 in the first database.
[0077] FIG 9 provides an example of a schematic view of a structure of a device for managing user login sessions in accordance with yet another exemplary embodiment of the present disclosure. Based on the embodiment of FIG 9, the managing module 72 shown in FIG 7 can comprise a third determination unit 724, a fourth determination unit 725 and a deletion unit 726.
[0078] The third determination unit 724 determines whether the storage duration of each login SID in the login session queue detected by the first query module exceeds the predetermined storage cycle. The fourth determination unit 725 identifies each SID (determined by the third determination unit 724) having a storage duration exceeding the predetermined storage cycle in the login session queue as an invalid login session in the login session queue. The deletion unit 726 deletes each invalid login session identified by the fourth determination unit 725 from the login session queue.
[0079] In one embodiment, the device can further comprise a third storage module 77 to store, in the first database, each invalid login session deleted by the deletion unit 726.
[0080] In one embodiment, the device can further comprise a first determination module 78 to determine each SID (detected by the query module 71) having a storage duration not exceeding the predetermined storage cycle in the login session queue as an active SID, and a fourth storage module 79 to store each active SID determined by the first determination module 78 in the second database.
[0081] FIG. 10 provides an example of a schematic view of the structure of a device for managing user login sessions in accordance with yet another exemplary embodiment of the present disclosure. Based on the embodiment of FIG 10, the managing module 72 shown in FIG 7 can comprise a fifth determination unit 726 to determine the user's login permission settings after detecting that the user is performing a password change via the current login medium, and a managing unit 727 to manage the currently-active login sessions in the login session queue according to the login permission settings determined by the fifth determination unit 726.
[0082] In one embodiment, the managing module 727 can comprise a determination subunit 7271 to determine the currently-active login sessions in the login session queue, and a managing subunit 7272, to keep the permitted SID in the login session queue and delete the unpermitted SID in accordance with the login permission settings determined by determination subunit 7271. [0083] It is thus clear from the above embodiments that the embodiments of the present disclosure can realize security management of the login sessions based on the Browser/Server mode with various major websites, enabling a legitimate user to effectively manage, using a login session queue corresponding with a UID, the status of login sessions created using the UID, and preventing the login sessions created by logging in with the same UID from being beyond the legitimate user's control, thus avoiding login security issues. Additionally, the storage space of the session cache list occupied by the invalid login session(s) can be reduced by promptly deleting the invalid login session(s).
[0084] Upon reviewing the Description and implementing the present disclosure disclosed herein, other embodiments of the present disclosure may become apparent to those skilled in the art. The present disclosure intends to include all the variations, uses or adaptable variations that accord with the general principles of the present disclosure and include common knowledge or conventional technique in the art not disclosed by the present disclosure. The Description and embodiments are only exemplary, and the veritable scope and spirit of the present disclosure are specified in the Claims hereinafter.
[0085] It shall be understood that the terms "comprise", "include" or any other variations thereof are intended to mean inclusiveness without exclusion, and thus a process, method, commodity or device including a series of elements comprises not only the listed elements, but also other elements which are not expressly listed, or it also comprises the inherent elements that the process, method, commodity or device hereof has. Without further specification, the expression "comprising a ... " does not indicate that only the element that the subject comprises is present; other like elements, such as processes, methods, commodities or devices, may also be present.
[0086] All the foregoing embodiments are only the preferred embodiments of the present disclosure, which shall not be used to limit this Application. Any modification, equivalent replacement or modification within the spirit and principle of the present disclosure shall be within the scope of the present application.

Claims

1. A method comprising:
querying, using a server computing device and a user ID, to detect whether a login session queue corresponding to the user ID exists in a session cache list, the querying being performed after a successful login of the user with the user ID via a login medium;
managing, using the server computing device, the user's login status through the login session queue, if the querying detects that the login session queue corresponding to the user ID exists in the session cache list; and
storing, using the server computing device, a session ID in a login session queue corresponding to the UID in the session cache list if the querying detects an absence of the login session queue corresponding to the user ID in the session cache list.
2. The method of claim 1, further comprising:
creating a session ID in response to the user's login; and
establishing a mapping relationship between the user ID and the session ID.
3. The method of claim 1, managing the user login status through the login session queue further comprising:
determining, using the server computing device, whether a size of the login session queue exceeds a predetermined threshold;
determining, using the server computing device, whether each login session in the login session queue is an invalid login session in the login session queue, deleting each login session determined to be an invalid login session from the login session queue, and storing each invalid login session deleted from the login session queue in a first database, if the size of the login session queue is determined to exceed the predetermined threshold; and
storing, using the server computing device, the session ID corresponding to the user's login in the login session queue, if the size of the login session queue is determined not to exceed the predetermined threshold.
4. The method of claim 3, managing the user login status through the login session queue further comprising:
determining, using the server computing device, the user's login permission settings after detecting that the user is performing a password change via a current login medium; and
managing each currently-active session ID in the login session queue in accordance with the login permission settings, comprising:
determining, using the server computing device and for each currently-active session ID in the login session queue, whether the currently-active session ID is a permitted session ID in accordance with the login permission settings;
keeping, using the server computing device, the currently -active session that is identified as permitted in the login session queue, and deleting, from the login session queue, each currently-active session ID identified as unpermitted.
5. The method of claim 1, managing the user login status through the login session queue further comprising:
determining, using the server computing device and for each session ID, whether a storage duration of a login session corresponding to the session ID in the login session queue exceeds a predetermined storage cycle;
determining, using the server computing device and for each session ID, that the corresponding login session is an invalid login session in the login session queue if the storage duration exceeds the predetermined storage cycle; and
deleting, using the server computing device and for each invalid login session, the invalid login session from the login session queue and storing the invalid login session in a first database.
6. The method of claim 5, further comprising:
determining, using the server computing device, each session ID in the login session queue having a storage duration not exceeding the predetermined storage cycle as an active session ID in the login session queue; and
storing each determined active session ID in a second database.
7. The method of claim 5, managing the user login status through the login session queue further comprising:
determining, using the server computing device, the user's login permission settings after detecting that the user is performing a password change via a current login medium; and
managing each currently-active session ID in the login session queue in accordance with the login permission settings, comprising:
determining, using the server computing device and for each currently-active session ID in the login session queue, whether the currently-active session ID is a permitted session ID in accordance with the login permission settings;
keeping, using the server computing device, the currently -active session that is identified as permitted in the login session queue, and deleting, from the login session queue, each currently-active session ID identified as unpermitted.
8. The method of claim 1 , managing the user login status through the login session queue further comprising:
determining, using the server computing device, the user's login permission settings after detecting that the user is performing a password change via a current login medium; and
managing each currently-active session ID in the login session queue in accordance with the login permission settings.
9. The method of claim 8, managing each currently -active session ID in the login session queue according to the login permission settings further comprising:
determining, using the server computing device and for each currently-active session ID in the login session queue, whether the currently-active session ID is a permitted session ID in accordance with the login permission settings;
keeping, using the server computing device, the currently-active session that is identified as permitted in the login session queue, and deleting, from the login session queue, each currently-active session ID identified as unpermitted.
10. A server computing device comprising:
a query module querying, using a user ID, to detect whether a login session queue corresponding to the user ID exists in a session cache list, the querying being performed after a successful login of the user with the user ID via a login medium;
a managing module managing the user's login status through the login session queue, if the query module detects that the login session queue corresponding to the user ID exists in the session cache list; and
a first storage module storing a session ID in a login session queue corresponding to the UID in the session cache list if the query module detects an absence of the login session queue corresponding to the user ID in the session cache list.
1 1. The device of claim 10, further comprising:
a creation module creating a session ID in response to the user's login; and
a mapping module establishing a mapping relationship between the user ID and the session ID created by the creation module.
12. The device of claim 10, the managing module further comprising:
a first determination unit determining whether a size of the login session queue exceeds a predetermined threshold;
a second determination unit determining whether each login session in the login session queue is an invalid login session in the login session queue and deleting each login session determined to be an invalid login session from the login session queue, if the size of the login session queue is determined to exceed the predetermined threshold;
a storage unit storing the session ID corresponding to the user's login in the login session queue, if the size of the login session queue is determined not to exceed the predetermined threshold; and
a second storage module storing, in a first database, each invalid login session identified by the second determination unit.
13. The device of claim 12, the managing module further comprising:
a fifth determination unit determining the user's login permission settings after detecting that the user is performing a password change via a current login medium; and
a managing unit managing each currently-active session ID in the login session queue according to the login permission settings in accordance with the login permission settings determined by the fifth determination unit, the managing unit further comprising:
a determination subunit determining, for each currently-active session ID in the login session queue, whether the currently-active session ID is a permitted session ID in accordance with the login permission settings; and
a managing subunit keeping each currently-active session ID that is identified by the determination subunit to be permitted in the login session queue, and deleting, from the login session queue, each currently -active session ID that is identified by the determination subunit to be unpermitted.
14. The device of claim 10, the managing module further comprising:
a third determination unit determining, for each session ID, whether a storage duration of a login session corresponding to the session ID in the login session queue exceeds a predetermined storage cycle;
a fourth determination unit determining, for each session ID, that the corresponding login session is an invalid login session in the login session queue, if the login session's storage duration determined by the third determination unit exceeds the predetermined storage cycle;
a deletion unit deleting each invalid login session identified by the fourth determination unit from the login session queue; and
a third storage module storing each invalid login session deleted from the login session queue by the deletion unit in a first database.
15. The device of claim 14, further comprising:
a determination module determining each session ID in the login session queue having a storage duration not exceeding the predetermined storage cycle as an active session ID in the login session queue; and
a fourth storage module storing each determined active session ID in a second database.
16. The device of claim 14, the managing module further comprising:
a fifth determination unit determining the user's login permission settings after detecting that the user is performing a password change via a current login medium; and
a managing unit managing each currently-active session ID in the login session queue according to the login permission settings in accordance with the login permission settings determined by the fifth determination unit, the managing unit further comprising:
a determination subunit determining, for each currently-active session ID in the login session queue, whether the currently-active session ID is a permitted session ID in accordance with the login permission settings; and
a managing subunit keeping each currently-active session ID that is identified by the determination subunit to be permitted in the login session queue, and deleting, from the login session queue, each currently -active session ID that is identified by the determination subunit to be unpermitted.
17. The device of claim 10, the managing module further comprising:
a fifth determination unit determining the user's login permission settings after detecting that the user is performing a password change via a current login medium; and
a managing unit managing each currently -active session ID in the login session queue according to the login permission settings in accordance with the login permission settings determined by the fifth determination unit.
18. The device of claim 17, the managing unit further comprising:
a determination subunit determining, for each currently-active session ID in the login session queue, whether the currently-active session ID is a permitted session ID in accordance with the login permission settings; and a managing subunit keeping each currently -active session ID that is identified by the determination subunit to be permitted in the login session queue, and deleting, from the login session queue, each currently -active session ID that is identified by the determination subunit to be unpermitted.
19. A server, comprising:
a processor; and
a storage medium for tangibly storing thereon program logic for execution by the processor, the stored program logic comprising:
querying logic executed by the processor for querying, using a user ID, to detect whether a login session queue corresponding to the user ID exists in a session cache list, the querying being performed after a successful login of the user with the user ID via a login medium;
managing logic executed by the processor for managing the user's login status through the login session queue, if the querying detects that the login session queue corresponding to the user ID exists in the session cache list; and
storing logic executed by the processor for storing a session ID in a login session queue corresponding to the UID in the session cache list if the querying detects an absence of the login session queue corresponding to the user ID in the session cache list.
PCT/US2016/030889 2015-05-07 2016-05-05 Mehtod, device and server for managing user login sessions WO2016179348A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP16790059.6A EP3292465A4 (en) 2015-05-07 2016-05-05 Mehtod, device and server for managing user login sessions
JP2017553355A JP6563515B2 (en) 2015-05-07 2016-05-05 Method, device and server for managing user login sessions
SG11201708868XA SG11201708868XA (en) 2015-05-07 2016-05-05 Mehtod, device and server for managing user login sessions
KR1020177031892A KR102027668B1 (en) 2015-05-07 2016-05-05 How to manage user login sessions, devices, and servers

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201510229467.8 2015-05-07
CN201510229467.8A CN106209744B (en) 2015-05-07 2015-05-07 Subscriber sign-in conversation management-control method, device and server
US15/146,074 US10182058B2 (en) 2015-05-07 2016-05-04 Method, device and server for managing user login sessions
US15/146,074 2016-05-04

Publications (1)

Publication Number Publication Date
WO2016179348A1 true WO2016179348A1 (en) 2016-11-10

Family

ID=57218373

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2016/030889 WO2016179348A1 (en) 2015-05-07 2016-05-05 Mehtod, device and server for managing user login sessions

Country Status (1)

Country Link
WO (1) WO2016179348A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111224932A (en) * 2019-10-15 2020-06-02 平安科技(深圳)有限公司 User management method and device of server out-of-band management system
CN111865904A (en) * 2020-06-04 2020-10-30 河南中医药大学 Safe user online state control method and device
US11075922B2 (en) 2018-01-16 2021-07-27 Oracle International Corporation Decentralized method of tracking user login status

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070183365A1 (en) * 2006-02-07 2007-08-09 Yoshihiro Ohba Media-Independent Handover: Session Identifier
US20070266257A1 (en) * 2004-07-15 2007-11-15 Allan Camaisa System and method for blocking unauthorized network log in using stolen password
US20120174223A1 (en) * 2006-03-31 2012-07-05 Ori Eisen Systems and methods for detection of session tampering and fraud prevention
US20120323717A1 (en) * 2011-06-16 2012-12-20 OneID, Inc. Method and system for determining authentication levels in transactions
US8819803B1 (en) * 2012-06-29 2014-08-26 Emc Corporation Validating association of client devices with authenticated clients

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070266257A1 (en) * 2004-07-15 2007-11-15 Allan Camaisa System and method for blocking unauthorized network log in using stolen password
US20070183365A1 (en) * 2006-02-07 2007-08-09 Yoshihiro Ohba Media-Independent Handover: Session Identifier
US20120174223A1 (en) * 2006-03-31 2012-07-05 Ori Eisen Systems and methods for detection of session tampering and fraud prevention
US20120323717A1 (en) * 2011-06-16 2012-12-20 OneID, Inc. Method and system for determining authentication levels in transactions
US8819803B1 (en) * 2012-06-29 2014-08-26 Emc Corporation Validating association of client devices with authenticated clients

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3292465A4 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11075922B2 (en) 2018-01-16 2021-07-27 Oracle International Corporation Decentralized method of tracking user login status
CN111224932A (en) * 2019-10-15 2020-06-02 平安科技(深圳)有限公司 User management method and device of server out-of-band management system
CN111224932B (en) * 2019-10-15 2022-01-04 平安科技(深圳)有限公司 User management method and device of server out-of-band management system
CN111865904A (en) * 2020-06-04 2020-10-30 河南中医药大学 Safe user online state control method and device
CN111865904B (en) * 2020-06-04 2022-08-23 河南中医药大学 Safe user online state control method and device

Similar Documents

Publication Publication Date Title
US10182058B2 (en) Method, device and server for managing user login sessions
US9432358B2 (en) System and method of authenticating user account login request messages
US10375054B2 (en) Securing user-accessed applications in a distributed computing environment
US11228593B2 (en) Session security splitting and application profiler
US11683252B2 (en) Centralized session management in an aggregated application environment
EP3164795B1 (en) Prompting login account
EP2567528B1 (en) Managing multiple logins from a single browser
US9871813B2 (en) Method of and system for processing an unauthorized user access to a resource
US20180103065A1 (en) Identity security and containment based on detected threat events
US20110258326A1 (en) Method, device, and system for implementing resource sharing
US9900318B2 (en) Method of and system for processing an unauthorized user access to a resource
US20140165164A1 (en) Method to Obtain a Virtual Desktop Stored in a Cloud Storage System, a Corresponding Cloud Broker and Cloud Desktop Agent
US20140208408A1 (en) Methods and apparatus to facilitate single sign-on services
US9935940B1 (en) Password security
WO2018024176A1 (en) Device and method preventing repeated logins of same user
US20110225648A1 (en) Method and apparatus for reducing the use of insecure passwords
WO2016179348A1 (en) Mehtod, device and server for managing user login sessions
US11089019B2 (en) Techniques and architectures for secure session usage and logging
WO2015062266A1 (en) System and method of authenticating user account login request messages
US20220393899A1 (en) System and method for an attention management platform and service
Tomlinson et al. Sessions

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16790059

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2017553355

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 11201708868X

Country of ref document: SG

ENP Entry into the national phase

Ref document number: 20177031892

Country of ref document: KR

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE