WO2001044975A9 - Identifying web users in a proxy server - Google Patents

Identifying web users in a proxy server

Info

Publication number
WO2001044975A9
WO2001044975A9 PCT/US2000/033862 US0033862W WO0144975A9 WO 2001044975 A9 WO2001044975 A9 WO 2001044975A9 US 0033862 W US0033862 W US 0033862W WO 0144975 A9 WO0144975 A9 WO 0144975A9
Authority
WO
WIPO (PCT)
Prior art keywords
user
computer system
address
message
request
Prior art date
Application number
PCT/US2000/033862
Other languages
French (fr)
Other versions
WO2001044975A2 (en
WO2001044975A3 (en
Inventor
Jason D Campbell
Ross Davisson
Issac J Roth
Original Assignee
Zack Network Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zack Network Inc filed Critical Zack Network Inc
Priority to AU20985/01A priority Critical patent/AU2098501A/en
Publication of WO2001044975A2 publication Critical patent/WO2001044975A2/en
Publication of WO2001044975A3 publication Critical patent/WO2001044975A3/en
Publication of WO2001044975A9 publication Critical patent/WO2001044975A9/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/35Network arrangements, protocols or services for addressing or naming involving non-standard use of addresses for implementing network functionalities, e.g. coding subscription information within the address or functional addressing, i.e. assigning an address to a function
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/142Managing session states for stateless protocols; Signalling session states; State transitions; Keeping-state mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/563Data redirection of data network streams
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/564Enhancement of application control based on intercepted application data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]

Definitions

  • the present invention is directed to the field of computer user identification, and, more particularly, to the field of identifying computer users via the World Wide Web.
  • web browser The users of computer systems connected to the Internet commonly use a "web browser” computer program to request, receive, and display documents and other data made available via the World Wide Web by "web server” computer systems that are also connected to the Internet.
  • Such documents are generally called “web pages,” and related groups of web pages served from the same web server are generally called “web site.”
  • Each piece of data made available via the World Wide Web such as a web page or an image or other portion of a web page that is provided separately from the web page, is identified by an address called a Uniform Resource Locator ("URL").
  • URL Uniform Resource Locator
  • a web browser issues a HyperText Transfer Protocol ("HTTP") request containing its URL.
  • HTTP HyperText Transfer Protocol
  • Each URL generally includes a host name portion identifying the particular web server from which to retrieve the piece of data, as well as a path portion identifying the particular piece of data to retrieve from the identified web server.
  • the host name portion typically identifies both a "domain” identifying a group of web servers, as well as a particular web server within the domain.
  • a collection of related web pages made available in this manner is called a web site.
  • a merchant web site may select certain products to display based upon the user's past purchases from the web site.
  • a subscription news web site may exclude from accessing news those users who have not paid the subscription fee.
  • a web site typically writes a value uniquely identifying each user into a "cookie" stored on the user's computer system by the web browser.
  • the web browser subsequently sends HTTP requests to URLs in the web site's domain, this value is attached to the HTTP requests.
  • the value can then be used by the web site to associate the current HTTP request with information maintained about earlier HTTP requests from the same user, as well as information about the user gathered in other ways, such as user registration forms.
  • Proxy servers provide services to user computer systems, such as security services, in which attempts to access resources of the user computer systems from the Internet are prevented; caching services, in which frequently-accessed web pages and other data are stored in the proxy server and returned in response to HTTP requests for them; and content filtering services, in which inappropriate HTTP requests or inappropriate returned content are intercepted.
  • proxy servers can be useful for proxy servers to be able to determine the identity of a user issuing an HTTP request through the proxy server.
  • the proxy server may permit or deny HTTP requests to or responses from certain web sites based on the identity of the user, or may log HTTP requests based upon the identity of the user.
  • proxy servers are unable to store cookies on the user's computer system and retrieve them in HTTP requests that pass through the proxy server, since browsers only include cookies in HTTP requests based upon the domain in the URL, not the domain of the proxy server.
  • Proxy servers generally determine the identity of a user using a "proxy authentication" process, in which the user must type a user identifier and password in a special window at the begmning of each browser session, which is then sent in plaintext with every HTTP request sent from the browser.
  • This solution is disadvantageous, both (1) in that it is inconvenient because it requires the user to enter extra information to begin each browsing session, and (2) in that it is insecure because it includes sensitive information in each request.
  • Figure 1 is a high-level block diagram showing the environment in which the facility preferably operates.
  • Figure 2 is a flow diagram showing the steps preferably performed by the facility in order to configure the web browser to identify the user.
  • Figure 3 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 2.
  • Figure 4 is a flow diagram showing the steps preferably performed by the facility when the browser is launched subsequent to performance of the steps shown in Figure 2.
  • Figure 5 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 4.
  • Figure 6 is a data structure diagram showing the user identification table used by the facility.
  • Figure 7 is a flow diagram showing the steps preferably performed by the facility for each HTTP request issued by the user using the browser program.
  • Figure 8 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 7.
  • Figure 9 is a flow diagram showing steps preferably performed by the facility when user identity cannot be reliably determined by any other means.
  • Figure 10 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 9.
  • a software facility for identifying users of client computer systems sending messages, such as HTTP requests, to a recipient computer system, such as a proxy server computer system, (“the facility") is provided.
  • the facility provides different receiving addresses for different users to use to send messages to the recipient computer system.
  • the facility identifies the sender of a message to the recipient computer system based upon the particular receiving address at which the message is received.
  • the facility also utilizes the source address from which the message is sent in combination with the recipient addresses at which the message is received to identify the user.
  • the facility enables the receipt of proxy-diverted HTTP requests by a proxy server at a large number of different network addresses, the different network addresses having different host names and/or different port numbers. For a particular user whose HTTP requests will originate from a particular range of source addresses, the facility selects a receiving address at which to receive proxy-diverted HTTP requests from the user. The facility then configures the user's web browser to deliver all of its HTTP requests to the selected destination address. When an HTTP request is received at the proxy server, the facility uses the receiving address at which it was received and the source address from which it was sent to identify the sender.
  • the facility preferably attempts to identify the user by identifying earlier HTTP requests sent by the same user that contain identification information for the user. If this too fails to reliably identify the user originating the HTTP request, the facility preferably inserts into the HTTP reply produced by the web server in response to the HTTP request a reference to data at a web server in the proxy server domain. When this modified HTTP reply is received in the browser, the browser sends to the web server in the proxy server domain via the proxy server an additional HTTP request for the referenced data.
  • the additional HTTP request contains information identifying the user stored in a cookie for the proxy server domain, which is used by the facility to identify the user.
  • the facility reliably, unobtrusively, and securely identifies the users sending HTTP requests to a proxy server irrespective of the use of such source-concealing measures as IP masquerading and dynamic IP allocation at the user's end of the connection.
  • identification may be used, for example, to filter or log HTTP traffic originating with particular users.
  • FIG. 1 is a high-level block diagram showing the environment in which the facility preferably operates.
  • the facility shows a client computer system 110 used by a user who is to be identified.
  • the user of the client computer system 110 uses a web browser program 111 to access data provided by a web server computer system 150 connected to the Internet 140.
  • the facility uses a web browser configuration 112 and web browser cookies 113 stored in the client computer system.
  • the web browser configuration 112 instructs the web browser program to connect to the web server computer system via proxy server computer system 130.
  • the client computer system is connected to the proxy server computer system by the Internet or another network 120.
  • the proxy server computer system contains a memory 131.
  • the memory preferably contains a proxy server program 132 for forwarding requests from the client computer system to one or more web server computer systems, and for forwarding replies from one or more web server computer systems to the client computer system.
  • the memory also contains the facility 133 for identifying the user of the client computer system, as well as a user identification table 134 used by the facility. While items 132-134 are preferably stored in memory while being used, those skilled in the art will appreciate that these items, or portions of them, may be transferred between memory and a persistent storage device 136, such as a hard drive, for purposes of memory management and data integrity.
  • the proxy server computer system further contains one or more central processing units (“CPUs") 135 for executing programs, such as programs 132 and 133.
  • the proxy server computer system preferably also contains a computer-readable medium drive 1378 or reading information or installing programs as a facility phone computer-readable media, such as a floppy disk, a CD-ROM, or a DVD.
  • FIG. 2 is a flow diagram showing the steps preferably performed by the facility in order to configure the web browser to identify the user.
  • the user of the client computer system signs in to the user identification system on a web page served from the domain of the proxy server computer system by entering his user identifier and password. This web page may be served from the proxy server computer system, or another computer system in the same Internet domain.
  • the facility stores a cookie containing a user identifier identifying the user on the client computer system under the proxy domain.
  • the facility reconfigures the browser program to obtain a proxy server configuration file from a special configuration file URL within the proxy domain each time the browser program is restarted. For example, in order to do so with the Netscape Navigator browser program provided by Netscape Communications of Mountain View, California, the facility preferably instructs the browser program to execute the JavaScript script shown in Table 1.
  • Figure 3 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 2.
  • Figure 3 shows the client computer system 301 sending to the proxy server computer system 302 a user sign-in request 303.
  • the user sign-in request contains a user identifier of "gwilliams", and a password of "catdog".
  • the proxy server computer system sends to the client computer system a user sign-in response 304.
  • the user sign-in response contains an instruction to set a cookie on the client computer system for the proxy server domain.
  • the cookie that is set is named "proxy l_userid", and it is set to the value "gwilliams”.
  • the user sign-in response further includes an instruction to set the proxy configuration file URL in the client computer system to
  • FIG 4 is a flow diagram showing the steps preferably performed by the facility when the browser is launched subsequent to performance of the steps shown in Figure 2.
  • the browser program submits a request for a proxy server configuration file to the specified URL in the proxy domain.
  • the request includes the contents of the cookie for the proxy domain containing the user's user identifier.
  • the facility extracts the user identifier from the cookie received in the request for a proxy server configuration file.
  • the facility assigns to the user a proxy host address and port number that, together with the high-order portion of the client host address enclosed in the request for proxy server configuration file uniquely identifies the user.
  • the facility stores in a user identification table a row associating the user identifier with the proxy host address and proxy port number assigned in step 403, as well as with the high-order portion of the client host address.
  • the facility returns to the client computer system a proxy server configuration file specifying the proxy host address and port number assigned in step 403.
  • the browser program in the client computer system receives and processes the proxy server configuration file, it updates the browser configuration to forward each subsequent HTTP request to its ultimate destination URL via the specified proxy host address and port number.
  • Figure 5 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 4.
  • Figure 5 shows that the client computer system 501 sends to the proxy server computer system 502 a proxy configuration file request 503. It can be seen that the proxy configuration file request is sent to the proxy configuration file URL specified in the user sign-in response 304:
  • the proxy configuration file request further includes the user identifier cookie containing the user identifier for the user.
  • the proxy server computer system sends to the client computer system a proxy configuration file response 504. It contains a proxy URL comprising the assigned proxy host address, "212.19.26.13", and the assigned proxy port number, "48913".
  • FIG. 6 is a data structure diagram showing the user identification table used by the facility.
  • the user identification table 600 preferably contains a row for each user, such as row 610.
  • Each row is comprised of a source host address portion 601, a destination host address portion 602, a destination port number 603, and a user identifier 604.
  • Row 610 was generated by the facility in response to the receipt of proxy configuration file request 503. It indicates that the source address from which the proxy configuration file was received was in the range between host addresses "208.152.24.0" and "208.152.24.255" ("208.152.24.*"). It further indicates that the destination host address assigned to the user is "212.19.26.13". It further indicates that the destination port number assigned to the user is "48913".
  • FIG. 7 is a flow diagram showing the steps preferably performed by the facility for each HTTP request issued by the user using the browser program.
  • step 701 an HTTP request containing the source host address for the client computer system and the destination host address of the web server computer system and contents of any cookies stored on the client computer system for the server domain is sent to the proxy host address and port number assigned to the user.
  • step 702 the facility in the proxy computer system identifies the table row containing the high-order portion of the source address, proxy host address, and port number of the HTTP request received by the proxy computer system from the client computer system.
  • the facility retrieves the user identifier from the identified row in order to identify the user.
  • This information may be used in the proxy server computer system, or in other computer systems, for a variety of purposes, including HTTP filtering or logging.
  • the facility may also use the retrieved user identifier to identify the user as the intended recipient of an HTTP response returned by the web server computer system in response to the forwarded HTTP request. After step 703, these steps conclude.
  • FIG 8 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 7.
  • Figure 8 shows that the client computer system 801 sends to the proxy server computer system 802 an HTTP request 800.
  • the HTTP request for URL "http://www.newsl.com:80" is sent to the proxy host address and port number assigned to the user: "212.19.26.13:48913", one of a large number of proxy host address and port number combinations used by the proxy server computer system to receive HTTP requests.
  • the proxy computer system uses the proxy host address and port number and source address to select row 610 in the user identification table. The facility thus determines that the HTTP request was sent by user "gwilliams".
  • the facility uses an additional level of indirection to enable a single user to maintain two or more separate "sessions" with the proxy server computer system, each from a different client computer system.
  • a first user identification table maps from high-order source address, proxy address, and proxy port number to a session identifier
  • a second user identification table maps from session identifier to user identifier.
  • the facility preferably identifies client computer systems that are prevented by a firewall or a similar device from sending HTTP requests to certain proxy addresses or port numbers, and selects a proxy address and port number for such client computer systems to which such client computer systems are able to send HTTP requests.
  • the facility preferably identifies users based solely upon the entire client computer system host address.
  • the cookie stored on the client computer system is preferably refreshed periodically to prevent the cookie from expiring and being removed from the client computer system.
  • the facility preferably maintains information on each received HTTP request, and uses a referrer field in the HTTP header of each HTTP request to identifier among the HTTP request chains, also called "click streams," that each constitute a chain—or series—of HTTP requests from the same user.
  • the facility preferably traverses the HTTP request chain containing the HTTP request to determine the identity of the user. This is possible, for example, where the HTTP chain includes a user sign-in request identifying the user.
  • the facility preferably also uses a user-agent field containing a text string identifying the browser and its environment, which is invariant within a particular browser and client computer system, and therefore invariant within an HTTP request chain.
  • the facility preferably also uses the time at which each HTTP request is received at the proxy computer system to identify HTTP request chains, as issuance by a single user of HTTP requests at certain time intervals is much more likely than issuance at other intervals. For example, users seldom issue successive HTTP requests at intervals shorter than .5 seconds.
  • the facility preferably resorts to additional measures. For example, where the client computer system is subjected to IP masquerading, the client computer system cannot be configured to proxy HTTP requests to a special receiving address, and where the user's HTTP request chain was broken by using a bookmark instead of following a link, the foregoing techniques may fail to reliably identify the user.
  • FIG. 9 is a flow diagram showing steps performed by the facility to identify the user when user identity cannot be reliably determined by other means. These steps are preferably performed while processing an HTTP request to a web server outside the proxy domain.
  • the facility when the facility receives from the web server an HTTP reply to the HTTP response that contains a web page, the facility modifies the HTTP reply to include in the web page an image tag referencing an image at a URL within the proxy domain.
  • the browser on the client computer system receives the modified HTTP reply and processes the contained web page, the browser generates and sends an additional HTTP request for the referenced image, which is forwarded via the proxy server like all of the other HTTP requests sent from the browser. Because it is addressed to a web server in the proxy domain, the browser attaches to the HTTP request for the image the value of the user identifier cookie stored for the user under the proxy domain by the browser in step 202.
  • step 902 the facility in the proxy server receives the HTTP request for the image containing the user identifier cookie value.
  • the facility uses the user identifier cookie value, containing the user identifier for the user, to identify the user.
  • step 904 the facility returns to the client computer system an HTTP reply containing a small, transparent image. In one embodiment, the facility does so by forwarding the HTTP request for the image to a separate web server computer system, then forwarding to the client computer system an HTTP reply generated by the web server computer system. In an alternative embodiment, the proxy server itself generates the HTTP reply and sends it to the client computer system. After step 904, these steps conclude.
  • FIG 10 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 9.
  • Figure 10 shows a web server 1003 outside the proxy domain sending an HTTP reply 1011 to the proxy server computer system 1002.
  • HTTP reply 1011 contains a web page generated by web server 1003.
  • the proxy server computer system modifies the HTTP reply 1011 to insert an image tag in the web page contained therein.
  • the client computer system When the client computer system receives the modified HTTP reply containing the image tag, the client computer system generates and sends to the proxy server an HTTP request 1021 for the image. Because the URL for the image is in the proxy domain, the client computer system attaches to the HTTP request for the image the value of the user identifier cookie stored for the user under the proxy domain, "gwilliams".
  • the proxy server computer system receives the HTTP request for the image, the proxy server extracts value of the user identifier cookie from the HTTP request for the image and uses it to identify the user.
  • the proxy server also forwards the HTTP request for the image 1022 to a web server 1004 within the proxy server domain. Web server 1004 responds with an HTTP reply 1023 containing the image, which the proxy server forwards as HTTP reply 1024 to the client computer system.
  • a facility may be used to identify users using a client program other than a web browser.
  • the user identifier cookie may be set and read from domains other than the domain containing the proxy server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A facility for identifying users of client computer systems sending server requests to a recipient computer system is described. For each of a plurality of users, the facility selects one address signifying the identity of the user from among a plurality of addresses at which the recipient computer system can receive server requests from client computer systems. For each user, the facility instructs a client computer program on a client computer system used by the user to direct server requests to servers via the selected address. When a server request is received from a client computer system, the facility determines that any of these are based upon the one of the plurality of the addresses at which the request is received.

Description

IDENTIFYING WEB USERS IN A PROXY SERVER
TECHNICAL FIELD
The present invention is directed to the field of computer user identification, and, more particularly, to the field of identifying computer users via the World Wide Web.
BACKGROUND
The users of computer systems connected to the Internet commonly use a "web browser" computer program to request, receive, and display documents and other data made available via the World Wide Web by "web server" computer systems that are also connected to the Internet. Such documents are generally called "web pages," and related groups of web pages served from the same web server are generally called "web site."
Each piece of data made available via the World Wide Web, such as a web page or an image or other portion of a web page that is provided separately from the web page, is identified by an address called a Uniform Resource Locator ("URL"). In order to retrieve such a piece of data, a web browser issues a HyperText Transfer Protocol ("HTTP") request containing its URL. Each URL generally includes a host name portion identifying the particular web server from which to retrieve the piece of data, as well as a path portion identifying the particular piece of data to retrieve from the identified web server. The host name portion typically identifies both a "domain" identifying a group of web servers, as well as a particular web server within the domain. A collection of related web pages made available in this manner is called a web site. It is often useful for web sites to be able to determine identity of a user accessing its web pages. For example, a merchant web site may select certain products to display based upon the user's past purchases from the web site. Similarly, a subscription news web site may exclude from accessing news those users who have not paid the subscription fee. In order to do so, a web site typically writes a value uniquely identifying each user into a "cookie" stored on the user's computer system by the web browser. When the web browser subsequently sends HTTP requests to URLs in the web site's domain, this value is attached to the HTTP requests. The value can then be used by the web site to associate the current HTTP request with information maintained about earlier HTTP requests from the same user, as well as information about the user gathered in other ways, such as user registration forms.
It is increasingly common for users to access web sites via intermediate computer systems called "proxy servers." Proxy servers provide services to user computer systems, such as security services, in which attempts to access resources of the user computer systems from the Internet are prevented; caching services, in which frequently-accessed web pages and other data are stored in the proxy server and returned in response to HTTP requests for them; and content filtering services, in which inappropriate HTTP requests or inappropriate returned content are intercepted.
Like web sites, it can be useful for proxy servers to be able to determine the identity of a user issuing an HTTP request through the proxy server. For example, the proxy server may permit or deny HTTP requests to or responses from certain web sites based on the identity of the user, or may log HTTP requests based upon the identity of the user. Unfortunately, unlike web sites, proxy servers are unable to store cookies on the user's computer system and retrieve them in HTTP requests that pass through the proxy server, since browsers only include cookies in HTTP requests based upon the domain in the URL, not the domain of the proxy server. Proxy servers generally determine the identity of a user using a "proxy authentication" process, in which the user must type a user identifier and password in a special window at the begmning of each browser session, which is then sent in plaintext with every HTTP request sent from the browser. This solution is disadvantageous, both (1) in that it is inconvenient because it requires the user to enter extra information to begin each browsing session, and (2) in that it is insecure because it includes sensitive information in each request.
In view of the above, a reliable, unobtrusive, secure way to identify users in proxy server would have significant utility.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is a high-level block diagram showing the environment in which the facility preferably operates.
Figure 2 is a flow diagram showing the steps preferably performed by the facility in order to configure the web browser to identify the user.
Figure 3 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 2.
Figure 4 is a flow diagram showing the steps preferably performed by the facility when the browser is launched subsequent to performance of the steps shown in Figure 2.
Figure 5 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 4.
Figure 6 is a data structure diagram showing the user identification table used by the facility.
Figure 7 is a flow diagram showing the steps preferably performed by the facility for each HTTP request issued by the user using the browser program.
Figure 8 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 7. Figure 9 is a flow diagram showing steps preferably performed by the facility when user identity cannot be reliably determined by any other means.
Figure 10 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 9.
DETAILED DESCRIPTION
A software facility for identifying users of client computer systems sending messages, such as HTTP requests, to a recipient computer system, such as a proxy server computer system, ("the facility") is provided. At a high level, the facility provides different receiving addresses for different users to use to send messages to the recipient computer system. The facility then identifies the sender of a message to the recipient computer system based upon the particular receiving address at which the message is received. In certain embodiments, the facility also utilizes the source address from which the message is sent in combination with the recipient addresses at which the message is received to identify the user.
In a preferred embodiment, the facility enables the receipt of proxy-diverted HTTP requests by a proxy server at a large number of different network addresses, the different network addresses having different host names and/or different port numbers. For a particular user whose HTTP requests will originate from a particular range of source addresses, the facility selects a receiving address at which to receive proxy-diverted HTTP requests from the user. The facility then configures the user's web browser to deliver all of its HTTP requests to the selected destination address. When an HTTP request is received at the proxy server, the facility uses the receiving address at which it was received and the source address from which it was sent to identify the sender.
In cases in which it is not possible to reliably identify the user originating the HTTP request based upon its receiving address and source address, the facility preferably attempts to identify the user by identifying earlier HTTP requests sent by the same user that contain identification information for the user. If this too fails to reliably identify the user originating the HTTP request, the facility preferably inserts into the HTTP reply produced by the web server in response to the HTTP request a reference to data at a web server in the proxy server domain. When this modified HTTP reply is received in the browser, the browser sends to the web server in the proxy server domain via the proxy server an additional HTTP request for the referenced data. The additional HTTP request contains information identifying the user stored in a cookie for the proxy server domain, which is used by the facility to identify the user.
In this manner, the facility reliably, unobtrusively, and securely identifies the users sending HTTP requests to a proxy server irrespective of the use of such source-concealing measures as IP masquerading and dynamic IP allocation at the user's end of the connection. Such identification may be used, for example, to filter or log HTTP traffic originating with particular users.
Figure 1 is a high-level block diagram showing the environment in which the facility preferably operates. The facility shows a client computer system 110 used by a user who is to be identified. The user of the client computer system 110 uses a web browser program 111 to access data provided by a web server computer system 150 connected to the Internet 140. In order to identify the user, the facility uses a web browser configuration 112 and web browser cookies 113 stored in the client computer system. The web browser configuration 112 instructs the web browser program to connect to the web server computer system via proxy server computer system 130. The client computer system is connected to the proxy server computer system by the Internet or another network 120. The proxy server computer system contains a memory 131. The memory preferably contains a proxy server program 132 for forwarding requests from the client computer system to one or more web server computer systems, and for forwarding replies from one or more web server computer systems to the client computer system. The memory also contains the facility 133 for identifying the user of the client computer system, as well as a user identification table 134 used by the facility. While items 132-134 are preferably stored in memory while being used, those skilled in the art will appreciate that these items, or portions of them, may be transferred between memory and a persistent storage device 136, such as a hard drive, for purposes of memory management and data integrity. The proxy server computer system further contains one or more central processing units ("CPUs") 135 for executing programs, such as programs 132 and 133. The proxy server computer system preferably also contains a computer-readable medium drive 1378 or reading information or installing programs as a facility phone computer-readable media, such as a floppy disk, a CD-ROM, or a DVD.
While preferred embodiments are described in terms of the environment described above, those skilled in the art will appreciate that the facility may be implemented in a variety of other environments, including various other combinations of computer systems or similar devices connected in various ways.
Figure 2 is a flow diagram showing the steps preferably performed by the facility in order to configure the web browser to identify the user. In step 201, the user of the client computer system signs in to the user identification system on a web page served from the domain of the proxy server computer system by entering his user identifier and password. This web page may be served from the proxy server computer system, or another computer system in the same Internet domain. In step 202, the facility stores a cookie containing a user identifier identifying the user on the client computer system under the proxy domain. In step 203, the facility reconfigures the browser program to obtain a proxy server configuration file from a special configuration file URL within the proxy domain each time the browser program is restarted. For example, in order to do so with the Netscape Navigator browser program provided by Netscape Communications of Mountain View, California, the facility preferably instructs the browser program to execute the JavaScript script shown in Table 1.
function ChangeProxySettings() { netscape. security.PrivilegeManager. enab lePrivilege ("UniversalPreferencesWrite") ; navigator.preference("network.proxy.typ e", 2); navigator.preference("network.proxy . aut oconfig_url",
"http://proxyconfig.proxyl.com/proxy.pa c");
Table 1
Those skilled in the art will appreciate that other browser programs may be similarly configured to obtain a proxy configuration file from a proxy configuration file URL each time they restart. After step 203, these steps conclude.
Figure 3 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 2. Figure 3 shows the client computer system 301 sending to the proxy server computer system 302 a user sign-in request 303. The user sign-in request contains a user identifier of "gwilliams", and a password of "catdog". When it receives the user sign-in request, the proxy server computer system sends to the client computer system a user sign-in response 304. The user sign-in response contains an instruction to set a cookie on the client computer system for the proxy server domain. The cookie that is set is named "proxy l_userid", and it is set to the value "gwilliams". The user sign-in response further includes an instruction to set the proxy configuration file URL in the client computer system to
"http://proxyconfig.proxyl.corn/proxy.pac".
Figure 4 is a flow diagram showing the steps preferably performed by the facility when the browser is launched subsequent to performance of the steps shown in Figure 2. In step 401, based upon its configuration, the browser program submits a request for a proxy server configuration file to the specified URL in the proxy domain. The request includes the contents of the cookie for the proxy domain containing the user's user identifier. In step 402, in the proxy server computer system, the facility extracts the user identifier from the cookie received in the request for a proxy server configuration file. In step 403, the facility assigns to the user a proxy host address and port number that, together with the high-order portion of the client host address enclosed in the request for proxy server configuration file uniquely identifies the user. While the highest-order 24 bits of the client host address are preferably used, those skilled in the art will appreciate that high-order portions of the client host address of different lengths may also be used to account for the size of source address ranges attributed by various IP masquerading and dynamic IP allocation schemes. In step 404, the facility stores in a user identification table a row associating the user identifier with the proxy host address and proxy port number assigned in step 403, as well as with the high-order portion of the client host address. In step 405, the facility returns to the client computer system a proxy server configuration file specifying the proxy host address and port number assigned in step 403. When the browser program in the client computer system receives and processes the proxy server configuration file, it updates the browser configuration to forward each subsequent HTTP request to its ultimate destination URL via the specified proxy host address and port number. After step 405, these steps conclude.
Figure 5 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 4. Figure 5 shows that the client computer system 501 sends to the proxy server computer system 502 a proxy configuration file request 503. It can be seen that the proxy configuration file request is sent to the proxy configuration file URL specified in the user sign-in response 304:
"http://proxyconfig.proxyl.com/proxy.pac". The proxy configuration file request further includes the user identifier cookie containing the user identifier for the user. When it receives the proxy configuration file request, the proxy server computer system sends to the client computer system a proxy configuration file response 504. It contains a proxy URL comprising the assigned proxy host address, "212.19.26.13", and the assigned proxy port number, "48913".
Figure 6 is a data structure diagram showing the user identification table used by the facility. The user identification table 600 preferably contains a row for each user, such as row 610. Each row is comprised of a source host address portion 601, a destination host address portion 602, a destination port number 603, and a user identifier 604. Row 610 was generated by the facility in response to the receipt of proxy configuration file request 503. It indicates that the source address from which the proxy configuration file was received was in the range between host addresses "208.152.24.0" and "208.152.24.255" ("208.152.24.*"). It further indicates that the destination host address assigned to the user is "212.19.26.13". It further indicates that the destination port number assigned to the user is "48913". Finally, it indicates that the user identifier of the user is "gwilliams". Figure 7 is a flow diagram showing the steps preferably performed by the facility for each HTTP request issued by the user using the browser program. In step 701, an HTTP request containing the source host address for the client computer system and the destination host address of the web server computer system and contents of any cookies stored on the client computer system for the server domain is sent to the proxy host address and port number assigned to the user. In step 702, the facility in the proxy computer system identifies the table row containing the high-order portion of the source address, proxy host address, and port number of the HTTP request received by the proxy computer system from the client computer system. In step 703, the facility retrieves the user identifier from the identified row in order to identify the user. This information may be used in the proxy server computer system, or in other computer systems, for a variety of purposes, including HTTP filtering or logging. The facility may also use the retrieved user identifier to identify the user as the intended recipient of an HTTP response returned by the web server computer system in response to the forwarded HTTP request. After step 703, these steps conclude.
Figure 8 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 7. Figure 8 shows that the client computer system 801 sends to the proxy server computer system 802 an HTTP request 800. The HTTP request for URL "http://www.newsl.com:80" is sent to the proxy host address and port number assigned to the user: "212.19.26.13:48913", one of a large number of proxy host address and port number combinations used by the proxy server computer system to receive HTTP requests. The proxy computer system uses the proxy host address and port number and source address to select row 610 in the user identification table. The facility thus determines that the HTTP request was sent by user "gwilliams".
In a further embodiment, the facility uses an additional level of indirection to enable a single user to maintain two or more separate "sessions" with the proxy server computer system, each from a different client computer system. In this embodiment, a first user identification table maps from high-order source address, proxy address, and proxy port number to a session identifier, and a second user identification table maps from session identifier to user identifier.
In a yet further preferred embodiment, the facility preferably identifies client computer systems that are prevented by a firewall or a similar device from sending HTTP requests to certain proxy addresses or port numbers, and selects a proxy address and port number for such client computer systems to which such client computer systems are able to send HTTP requests. In a yet further embodiment, where HTTP requests for a group of client computer systems are all sent to the same proxy address and port number and IP masquerading and dynamic IP allocation are not being used, the facility preferably identifies users based solely upon the entire client computer system host address.
In a yet further preferred embodiment, the cookie stored on the client computer system is preferably refreshed periodically to prevent the cookie from expiring and being removed from the client computer system.
In an additional preferred embodiment, the facility preferably maintains information on each received HTTP request, and uses a referrer field in the HTTP header of each HTTP request to identifier among the HTTP request chains, also called "click streams," that each constitute a chain—or series—of HTTP requests from the same user. Where the user is issuing a particular HTTP request cannot be identified, the facility preferably traverses the HTTP request chain containing the HTTP request to determine the identity of the user. This is possible, for example, where the HTTP chain includes a user sign-in request identifying the user.
In addition to using the referrer field to identify HTTP request chains, the facility preferably also uses a user-agent field containing a text string identifying the browser and its environment, which is invariant within a particular browser and client computer system, and therefore invariant within an HTTP request chain. The facility preferably also uses the time at which each HTTP request is received at the proxy computer system to identify HTTP request chains, as issuance by a single user of HTTP requests at certain time intervals is much more likely than issuance at other intervals. For example, users seldom issue successive HTTP requests at intervals shorter than .5 seconds.
Where none of the foregoing techniques are successful to reliably identify the user, the facility preferably resorts to additional measures. For example, where the client computer system is subjected to IP masquerading, the client computer system cannot be configured to proxy HTTP requests to a special receiving address, and where the user's HTTP request chain was broken by using a bookmark instead of following a link, the foregoing techniques may fail to reliably identify the user.
Figure 9 is a flow diagram showing steps performed by the facility to identify the user when user identity cannot be reliably determined by other means. These steps are preferably performed while processing an HTTP request to a web server outside the proxy domain. In step 901, when the facility receives from the web server an HTTP reply to the HTTP response that contains a web page, the facility modifies the HTTP reply to include in the web page an image tag referencing an image at a URL within the proxy domain. When the browser on the client computer system receives the modified HTTP reply and processes the contained web page, the browser generates and sends an additional HTTP request for the referenced image, which is forwarded via the proxy server like all of the other HTTP requests sent from the browser. Because it is addressed to a web server in the proxy domain, the browser attaches to the HTTP request for the image the value of the user identifier cookie stored for the user under the proxy domain by the browser in step 202.
In step 902, the facility in the proxy server receives the HTTP request for the image containing the user identifier cookie value. In step 903, the facility uses the user identifier cookie value, containing the user identifier for the user, to identify the user. In step 904, the facility returns to the client computer system an HTTP reply containing a small, transparent image. In one embodiment, the facility does so by forwarding the HTTP request for the image to a separate web server computer system, then forwarding to the client computer system an HTTP reply generated by the web server computer system. In an alternative embodiment, the proxy server itself generates the HTTP reply and sends it to the client computer system. After step 904, these steps conclude.
Figure 10 is a data flow diagram showing a sample data flow resulting from the steps shown in Figure 9. Figure 10 shows a web server 1003 outside the proxy domain sending an HTTP reply 1011 to the proxy server computer system 1002. HTTP reply 1011 contains a web page generated by web server 1003. When it receives HTTP reply 1011, the proxy server computer system modifies the HTTP reply 1011 to insert an image tag in the web page contained therein. The proxy server computer system sends the modified HTTP reply 1012 to the client computer system 1001. It can be seen that the modified HTTP reply contains the image tag "<img src="http://www.proxyl.corn/img/lxl.gif' height=T width=l border=0>", which references an image obtainable from an address within the proxy domain.
When the client computer system receives the modified HTTP reply containing the image tag, the client computer system generates and sends to the proxy server an HTTP request 1021 for the image. Because the URL for the image is in the proxy domain, the client computer system attaches to the HTTP request for the image the value of the user identifier cookie stored for the user under the proxy domain, "gwilliams". When the proxy server computer system receives the HTTP request for the image, the proxy server extracts value of the user identifier cookie from the HTTP request for the image and uses it to identify the user. The proxy server also forwards the HTTP request for the image 1022 to a web server 1004 within the proxy server domain. Web server 1004 responds with an HTTP reply 1023 containing the image, which the proxy server forwards as HTTP reply 1024 to the client computer system.
It will be understood by those skilled in the art that the above-described facility could be adapted or extended in various ways.
For example, a facility may be used to identify users using a client program other than a web browser. Additionally, the user identifier cookie may be set and read from domains other than the domain containing the proxy server. While the foregoing description makes reference to preferred embodiments, the scope of the invention is defined solely by the claims that follow and the elements recited therein.

Claims

1. A computer system for conveying the identity of a user originating a message, comprising: a recipient identification subsystem that identifies a recipient for the message; a destination address selection subsystem that selects from a plurality of destination addresses for the recipient, a destination address for the recipient based upon the identity of the user; and a message transmission subsystem that transmits the message to the selected destination address.
2. The computer system of claim 1, further comprising, at the recipient: receives the message; and a message receiving subsystem that a user identification subsystem that, based upon the destination address of the message, determines the identity of the user.
3. The computer system of claim 2 wherein the received message includes a source address for the message, and wherein the user identification subsystem identifies the user based upon the included source address.
4. A method in a recipient computer system for deteπnining the identity of a user of an originating computer system, comprising: receiving a message from the originating computer system, the message being directed to one of a plurality of addresses at which the recipient computer system receives messages; and based upon the address to which the message was directed, determining the identity of the user.
5. The method of claim 4 wherein the address to which the message was directed includes a host address, and wherein the identity of the user is determined based upon the host address.
6. The method of claim 4 wherein the address to which the message was directed includes a port number, and wherein the identity of the user is determined based upon the port number.
7. The method of claim 4 wherein the address to which the message was directed includes a host address and a port number, and wherein the identity of the user is determined based upon the combination of the host address and the port number of the address to which the message was directed.
8. The method of claim 4 wherein the received message includes a source address for the message, and wherein the identity of the user is determined based upon the included source address.
9. The method of claim 4 wherein the received message includes a source address for the message, and wherein the address to which the message was directed includes a host address and a port number, and wherein the identity of the user is determined based upon the combination of the source address for the message and the host address and the port number of the address to which the message was directed.
10. A generated data signal containing an HTTP request, the HTTP request containing a destination selected to identify a user associated with the HTTP request, such that the identity of a user associated with the HTTP request may be determined based on the destination address contained by the HTTP request.
11. The generated data signal of claim 10 wherein the HTTP request further contains a source address, such that the identity of a user associated with the request may be determined based both upon the destination address contained by the HTTP request and upon the source address contained by the HTTP request.
12. A generated data signal conveying a proxy server configuration instruction to a client computer system, the proxy server configuration instruction having contents instructing the client computer system to establish its proxy server configuration by sending a proxy server configuration request containing an identification of the user stored persistently on the client computer system to a network address specified in the proxy server configuration instruction, such that, when the client computer system uses the proxy server configuration instruction to establish its proxy server configuration by sending a proxy server configuration request to the specified network address, the proxy server configuration established as a result may be customized to the user.
13. A computer-readable medium whose contents cause a computer system to identify a user issuing a selected server request by: receiving the selected server request from a client computer system; responding to the selected server request with a first response, the first response including a reference for provoking a second request that includes information identifying the user stored in the client computer system; receiving a second server request from the client computer system, the second server request being provoked by the reference included in the first response and including information identifying the user stored in the client computer system; and using the included information to identify the user issuing the selected server request.
14. The computer-readable medium of claim 13 wherein the computer system is a proxy server computer system located within a proxy domain, and wherein the reference included in the first response is a reference within the proxy domain, and wherein the information identifying the user included in the second server request is the value of a cookie stored on the client computer system under the proxy domain.
15. The computer-readable medium of claim 13 wherein the responding comprises: forwarding the selected server request to a separate server to which it is addressed; receiving a response from the separate server; and modifying the response from the separate server to include the reference.
16. The computer-readable medium of claim 13 wherein the first response contains a web page, and wherein the reference is an image tag referencing an image.
17. The computer-readable medium of claim 13 wherein the first response contains a web page, and wherein the reference is an object tag referencing an image.
18. The computer-readable medium of claim 13 wherein the first response contains a web page, and wherein the reference is a layer tag referencing an image.
19. The computer-readable medium of claim 13 wherein the first response contains a web page, and wherein the reference is a background image tag referencing an image.
20. The computer-readable medium of claim 13 wherein the first response contains a web page, and wherein the reference is a frame tag referencing an image.
PCT/US2000/033862 1999-12-17 2000-12-13 Identifying web users in a proxy server WO2001044975A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU20985/01A AU2098501A (en) 1999-12-17 2000-12-13 Identifying web users in a proxy server

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US46610499A 1999-12-17 1999-12-17
US09/466,104 1999-12-17

Publications (3)

Publication Number Publication Date
WO2001044975A2 WO2001044975A2 (en) 2001-06-21
WO2001044975A3 WO2001044975A3 (en) 2002-05-23
WO2001044975A9 true WO2001044975A9 (en) 2002-07-18

Family

ID=23850488

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/033862 WO2001044975A2 (en) 1999-12-17 2000-12-13 Identifying web users in a proxy server

Country Status (2)

Country Link
AU (1) AU2098501A (en)
WO (1) WO2001044975A2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9124920B2 (en) 2011-06-29 2015-09-01 The Nielson Company (Us), Llc Methods, apparatus, and articles of manufacture to identify media presentation devices
US9301173B2 (en) 2013-03-15 2016-03-29 The Nielsen Company (Us), Llc Methods and apparatus to credit internet usage
US9307418B2 (en) 2011-06-30 2016-04-05 The Nielson Company (Us), Llc Systems, methods, and apparatus to monitor mobile internet activity
US11849001B2 (en) 2010-08-14 2023-12-19 The Nielsen Company (Us), Llc Systems, methods, and apparatus to monitor mobile internet activity

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1666205A (en) 2001-10-17 2005-09-07 Npx科技有限公司 Verification of a person identifier received online
US8910259B2 (en) * 2010-08-14 2014-12-09 The Nielsen Company (Us), Llc Systems, methods, and apparatus to monitor mobile internet activity
US10356579B2 (en) 2013-03-15 2019-07-16 The Nielsen Company (Us), Llc Methods and apparatus to credit usage of mobile devices
US9762688B2 (en) 2014-10-31 2017-09-12 The Nielsen Company (Us), Llc Methods and apparatus to improve usage crediting in mobile devices
US11423420B2 (en) 2015-02-06 2022-08-23 The Nielsen Company (Us), Llc Methods and apparatus to credit media presentations for online media distributions
US20230247081A1 (en) * 2022-01-31 2023-08-03 Salesforce.Com, Inc. Declarative rendering of hypertext transfer protocol headers

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6049821A (en) * 1997-01-24 2000-04-11 Motorola, Inc. Proxy host computer and method for accessing and retrieving information between a browser and a proxy
EP0981885B1 (en) * 1997-06-25 2005-12-14 Inforonics, Inc. Apparatus and method for identifying clients accessing network sites
US6487538B1 (en) * 1998-11-16 2002-11-26 Sun Microsystems, Inc. Method and apparatus for local advertising
US6401125B1 (en) * 1999-08-05 2002-06-04 Nextpage, Inc. System and method for maintaining state information between a web proxy server and its clients

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11849001B2 (en) 2010-08-14 2023-12-19 The Nielsen Company (Us), Llc Systems, methods, and apparatus to monitor mobile internet activity
US9124920B2 (en) 2011-06-29 2015-09-01 The Nielson Company (Us), Llc Methods, apparatus, and articles of manufacture to identify media presentation devices
US9307418B2 (en) 2011-06-30 2016-04-05 The Nielson Company (Us), Llc Systems, methods, and apparatus to monitor mobile internet activity
US9301173B2 (en) 2013-03-15 2016-03-29 The Nielsen Company (Us), Llc Methods and apparatus to credit internet usage

Also Published As

Publication number Publication date
WO2001044975A2 (en) 2001-06-21
AU2098501A (en) 2001-06-25
WO2001044975A3 (en) 2002-05-23

Similar Documents

Publication Publication Date Title
US7058633B1 (en) System and method for generalized URL-rewriting
US8874695B2 (en) Web access using cross-domain cookies
US6954783B1 (en) System and method of mediating a web page
CA2307051C (en) Method and apparatus to determine user identity and limit access to a communications network
US8346848B2 (en) System and method for maintaining statefulness during client-server interactions
US7003565B2 (en) Clickstream data collection technique
US7490162B1 (en) Method and system for forwarding messages received at a traffic manager
ES2297734T3 (en) IMPROVED USER INTERFACE.
US5774660A (en) World-wide-web server with delayed resource-binding for resource-based load balancing on a distributed resource multi-node network
US7039699B1 (en) Tracking usage behavior in computer systems
US8429201B2 (en) Updating a database from a browser
EP1114545B1 (en) Method and system for injecting external content into computer network interactive sessions
US6748448B1 (en) High performance internet storage access scheme
US20040073629A1 (en) Method of accessing internet resources through a proxy with improved security
US10104191B2 (en) Page views for proxy servers
US6324584B1 (en) Method for intelligent internet router and system
US20020078076A1 (en) Simulator disposed between a server and a client system
WO2001044975A9 (en) Identifying web users in a proxy server
CN101378407B (en) Method, system and equipment for pushing information
KR100748770B1 (en) A system and method of mediating a web page
US9015199B1 (en) Method and an apparatus to request web pages and content rating information thereof
WO2002013025A1 (en) An access system for use with lans
EP1137234A1 (en) Internet access arrangement
KR100734965B1 (en) Systems and methods for redirecting users attempting to access a network site
Hunt Internet—services, facilities, protocols and architecture

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

AK Designated states

Kind code of ref document: C2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: C2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

COP Corrected version of pamphlet

Free format text: PAGES 1-13, DESCRIPTION, REPLACED BY NEW PAGES 1-13; PAGES 14-18, CLAIMS, REPLACED BY NEW PAGES 14-18; PAGES 1/10-10/10, DRAWINGS, REPLACED BY NEW PAGES 1/10-10/10; DUE TO LATE TRANSMITTAL BY THE RECEIVING OFFICE

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP