Search

US-12621308-B2 - Systems and methods for session time duration management based on user login attributes

US12621308B2US 12621308 B2US12621308 B2US 12621308B2US-12621308-B2

Abstract

Systems and methods for session time duration management based on user login attributes are disclosed. A method may include: receiving, at an authentication platform for a website and from a browser executed by an electronic device, a user login; authenticating the user login credentials; requesting a session with the browser with a modified session idle time from a session provider, wherein the session provider is configured to generate a session cookie with the modified session idle time; receiving the session cookie from the session provider; and communicating the session cookie to the browser. The website may be configured to receive an interaction from the browser in the session, determine a current session idle time for the session, compare the current session idle time to the modified session idle time, and terminate the session in response to the current session idle time being greater than the modified session idle time.

Inventors

  • Goran Loncaric
  • Sandeep Reddy BANALA

Assignees

  • JPMORGAN CHASE BANK, N.A.

Dates

Publication Date
20260505
Application Date
20230608

Claims (12)

  1. 1 . A method for browser session time duration management based on user login attributes, comprising: receiving, at a computer program for an authentication platform for a website or resource and from a browser executed by an electronic device, a user login comprising user login credentials and electronic device information for the electronic device, wherein the electronic device information identifies the electronic device as a public electronic device; authenticating, by the computer program, the user login credentials; requesting, by the computer program, a browser session with the browser with a modified browser session idle time from a session provider, wherein the session provider is configured to generate a browser session cookie with the modified browser session idle time based on the electronic device information, wherein the modified browser session idle time differs from a default browser session idle time for the session provider; receiving, by the computer program, the browser session cookie from the session provider; and communicating, by the computer program, the browser session cookie to the browser; wherein the website or resource is configured to receive an interaction from the browser in the browser session, determine a current browser session idle time for the browser session, compare the current browser session idle time to the modified browser session idle time, and terminate the browser session in response to the current browser session idle time being greater than the modified browser session idle time.
  2. 2 . The method of claim 1 , wherein the modified browser session idle time has a shorter time than a default browser session idle time.
  3. 3 . The method of claim 1 , wherein the modified browser session idle time has a longer time than a default browser session idle time.
  4. 4 . The method of claim 1 , wherein the website or resource determines the current browser session idle time for the browser session based on a timestamp for the interaction with the browser and a last update timestamp in the browser session cookie.
  5. 5 . A system, comprising: an electronic device executing a browser; a session provider; and an authentication platform for a website or resource executing a computer program; wherein: the computer program receives a user login comprising user login credentials and electronic device information for the electronic device from the browser, wherein the electronic device information identifies the electronic device as a public electronic device; the computer program authenticates the user login credentials; the computer program requests a browser session with the browser with a modified browser session idle time from the session provider; the session provider generates a browser session cookie with the modified browser session idle time based on the electronic device information, wherein the modified browser session idle time differs from a default browser session idle time for the session provider; the computer program receives the browser session cookie from the session provider; the computer program communicates the browser session cookie to the browser; the website or resource receives an interaction from the browser in the browser session; the website or resource determines a current browser session idle time for the browser session; the website or resource compares the current browser session idle time to the modified browser session idle time; and the website or resource terminates the browser session in response to the current browser session idle time being greater than the modified browser session idle time.
  6. 6 . The system of claim 5 , wherein the modified browser session idle time has a shorter time than a default session idle time.
  7. 7 . The system of claim 5 , wherein the modified browser session idle time has a longer time than a default browser session idle time.
  8. 8 . The system of claim 5 , wherein the website or resource determines the current browser session idle time for the browser session based on a timestamp for the interaction with the browser and a last update timestamp in the browser session cookie.
  9. 9 . A non-transitory computer readable storage medium, including instructions stored thereon, which when read and executed by one or more computer processors, cause the one or more computer processors to perform steps comprising: receiving, from a browser executed by an electronic device, a user login comprising user login credentials and electronic device information for the electronic device, wherein the electronic device information identifies the electronic device as a public electronic device; authenticating the user login credentials; requesting a browser session with the browser with a modified browser session idle time from a session provider, wherein the session provider is configured to generate a browser session cookie with the modified browser session idle time based on the electronic device information, wherein the modified browser session idle time differs from a default browser session idle time for the session provider; receiving the browser session cookie from the session provider; and communicating the browser session cookie to the browser; wherein a website or resource is configured to receive an interaction from the browser in the browser session, determine a current browser session idle time for the browser session, compare the current browser session idle time to the modified browser session idle time, and terminate the browser session in response to the current browser session idle time being greater than the modified browser session idle time.
  10. 10 . The non-transitory computer readable storage medium of claim 9 , wherein the modified browser session idle time has a shorter time than a default session idle time.
  11. 11 . The non-transitory computer readable storage medium of claim 9 , wherein the modified browser session idle time has a longer time than a default browser session idle time.
  12. 12 . The non-transitory computer readable storage medium of claim 9 , wherein the website or resource determines the current browser session idle time for the browser session based on a timestamp for the interaction with the browser and a last update timestamp in the browser session cookie.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention Embodiments are generally directed to systems and methods for session time duration management based on user login attributes. 2. Description of the Related Art When customers use a public personal computer, such as one in a library, a hotel business center, etc., or borrow a mobile device from a friend, to do their online banking or any other secure activity, they sometimes do not log out at the end of their session. This provides an opportunity for a malicious actor to take over the session once the genuine user leaves the premises, as the session continues to be alive for usually between five and twenty minutes of inactivity before it is automatically terminated. Currently, session length, also known as “alive time” or “maximum inactivity period” is static, and service providers rely on other techniques (e.g., step-up authentication) to mitigate the threat of account takeover or fraudulent transactions. But step-ups do not cover all interactions that may expose a customer to risk. For example, no step up authentication may be required for the customer—or a malicious actor—to review the customer's statements. SUMMARY OF THE INVENTION Systems and methods for session time duration management based on user login attributes are disclosed. According to one embodiment, a method for session time duration management based on user login attributes may include: (1) receiving, at a computer program for an authentication platform for a website or resource and from a browser executed by an electronic device, a user login comprising user login credentials and electronic device information for the electronic device; (2) authenticating, by the computer program, the user login credentials; (3) requesting, by the computer program, a session with the browser with a modified session idle time from a session provider, wherein the session provider is configured to generate a session cookie with the modified session idle time; (4) receiving, by the computer program, the session cookie from the session provider; and (5) communicating, by the computer program, the session cookie to the browser. The website or resource is configured to receive an interaction from the browser in the session, determine a current session idle time for the session, compare the current session idle time to the modified session idle time, and terminate the session in response to the current session idle time being greater than the modified session idle time. In one embodiment, the modified session idle time may have a shorter time than a default session idle time. The modified session idle time may be requested in response to the electronic device being a public electronic device based on an IP address or a geolocation of the electronic device, in response to the electronic device being a first interaction with the electronic device, etc. In one embodiment, the modified session idle time may have a longer time than a default session idle time. The modified session idle time may be requested in response to the electronic device being a trusted electronic device. In one embodiment, the website or resource may determine the current session idle time for the session based on a timestamp for the interaction with the browser and a last update timestamp in the session cookie. According to another embodiment, a system may include: an electronic device executing a browser; a session provider; and an authentication platform for a website or resource executing a computer program. The computer program receives a user login comprising user login credentials and electronic device information for the electronic device from the browser; authenticates the user login credentials; and requests a session with the browser with a modified session idle time from the session provider. The session provider generates a session cookie with the modified session idle time. The computer program receives the session cookie from the session provider and communicates the session cookie to the browser. The website or resource: receives an interaction from the browser in the session; determines a current session idle time for the session; compares the current session idle time to the modified session idle time; and terminates the session in response to the current session idle time being greater than the modified session idle time. In one embodiment, the modified session idle time may have a shorter time than a default session idle time. The modified session idle time may be requested in response to the electronic device being a public electronic device based on an IP address or a geolocation of the electronic device, in response to the electronic device being a first interaction with the electronic device, etc. In one embodiment, the modified session idle time may have a longer time than a default session idle time. The modified session idle time may be requested in response to the electronic device being a trusted electronic device.