Prosecution Insights
Last updated: July 17, 2026
Application No. 18/339,188

SYSTEMS, METHODS, AND STORAGE MEDIA FOR ABSTRACTING SESSION INFORMATION FOR AN APPLICATION IN AN IDENTITY INFRASTRUCTURE

Final Rejection §103
Filed
Jun 21, 2023
Priority
Jun 22, 2022 — provisional 63/354,268
Examiner
GOODARZI, NASSER MOAZZAMI
Art Unit
2400
Tech Center
2400 — Computer Networks
Assignee
Strata Identity Inc.
OA Round
2 (Final)
42%
Grant Probability
Moderate
3-4
OA Rounds
5m
Est. Remaining
53%
With Interview

Examiner Intelligence

Grants 42% of resolved cases
42%
Career Allowance Rate
27 granted / 65 resolved
-16.5% vs TC avg
Moderate +12% lift
Without
With
+11.6%
Interview Lift
resolved cases with interview
Typical timeline
3y 6m
Avg Prosecution
4 currently pending
Career history
69
Total Applications
across all art units

Statute-Specific Performance

§101
0.5%
-39.5% vs TC avg
§103
80.6%
+40.6% vs TC avg
§102
15.4%
-24.6% vs TC avg
§112
1.0%
-39.0% vs TC avg
Black line = Tech Center average estimate • Based on career data from 65 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments with respect to claims 1-20 have been considered but they are nor persuasive for the following reasons. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Applicant states that Manolache and Brinskelle, alone or in combination, fail to show each element recited by amended independent claim 1. For example, the Examiner admits that "Manolache does not explicitly disclose ... receive a response from the application at the second computing device, wherein the response comprises one or more first cookies; cache the one or more first cookies; remove the one or more first cookies from the response; create one or more second cookies, wherein the one or more second cookies are associated with the application; wherein the response comprises the one or more second cookies." See Office Action, page 4. However, the Examiner contends that these steps are taught in Brinskelle. Yet Brinskelle is silent regarding, for example, "receive a response from the application at the second computing device, wherein the response comprises one or more first cookies; cache, at the second computing device, the one or more first cookies; remove, at the second computing device, the one or more first cookies from the response; create, at the second computing device, one or more second cookies, wherein the one or more second cookies are associated with the application; and transmit the response to the first computing device from the second computing device, wherein the response comprises the one or more second cookies," as recited in part by claim 1. Thus, Brinskelle does not show or suggest that which Manolache lacks because Brinskelle is silent regarding the aforementioned claim limitations. In view of the above, the cited prior art references Manolache and Brinskelle, alone or in combination, do not support an obviousness rejection of amended independent claim 1. Independent claims 8 and 16 contain similar limitations and are likewise patentable. Dependent claims are patentable for at least the same reasons. Applicant believes this reply places the application in condition for allowance and deems further traverse, including traverse of Official Notice, moot at this time. Accordingly, withdrawal of this rejection is respectfully requested. Examiner respectfully disagree with applicant’s statement that the prior arts do not disclose the claimed limitations. As stated in the previous action (non-final dated 05/22/2025), prior art Manolache relied upon for the teaching of intercepting a request to communicate with the application, sending the request to the application, and transmitting a response (see paragraphs 15, 34, and 51 of Manolache). Prior art Brinskelle was relied on for the teaching of caching the cookie, removing the cookie from the response and creating a second cookie. Brinskelle clearly discloses a security agent manipulating responses and removing the original cookie, generating acting cookie and insert acting cookie in place of the original cookie (see paragraph 231). Brinskelle further discloses storing the cookies in a cache (paragraph 278). With regard to amended claim 7 Manolache teaches the plurality of the request (paragraph 17, intercepting requests). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claim(s) 1-3, 7, 8-10, 13, 16, 17, 18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Manolache et al. ( WO-2021252550-A1: hereafter Manolache) in view of Brinskelle (US-20190354709-A1: hereafter Brinskelle). In regards to claims 1, and 7, Manolache teaches a system configured for abstracting session information for an application in an identity infrastructure, the system comprising: one or more hardware processors configured by machine-readable instructions to (Manolache: In an embodiment, code (e.g., executable code or source code) is stored on a set of one or more non-transitory computer-readable storage media having stored thereon executable instructions that, when executed (i.e., as a result of being executed) by one or more processors of a computer system, cause the computer system to perform operations described herein [Para 72].); intercept, from a first computing device, a request to communicate with the application, wherein the intercepting occurs at a second computing device (Manolache: In other instances, a proxy may be enlisted to intercept requests such as the third request and any subsequent requests after that (plurality of requests) that are directed to the web server to enlist the correct services and/or servers to perform these security checks [Para 17].).; send the request to the application from the second computing device (Manolache: The proxy may then perform one or more actions (e.g., perform a security check), using the resources of the server, to the intercepted requests prior to connecting the client computing devices 102 to a computing resource, other services, and/or websites [Para 34].) ; receive a response from the application at the second computing device, wherein the response comprises one or more first cookies; cache, at the second computing device, the one or more first cookies; remove, at the second computing device, the one or more first cookies from the response; create, at the second computing device, one or more second cookies, wherein the one or more second cookies are associated with the application; and transmit the response to the first computing device from the second computing device, wherein the response comprises the one or more second cookies (Manolache: Thus, the response back to the client from the proxy 604 may either indicate that access to the resource is granted or denied [Para 51].). However, Manolache does not explicitly disclose … receive a response from the application at the second computing device, wherein the response comprises one or more first cookies; Cache, at the second computing device, the one or more first cookies; Remove, at the second computing device, the one or more first cookies from the response; Create, at the second computing device, one or more second cookies, wherein the one or more second cookies are associated with the application; wherein the response comprises the one or more second cookies. But Brinskelle, in the same field of endeavor, teaches … receive a response from the application at the second computing device, wherein the response comprises one or more first cookies (Brinskelle: For example, a security agent manipulates HTTP responses from a web application and removes the original HTTP cookies [Para 231].); cache the one or more first cookies (Brinskelle: In some embodiments, sensitive data (such as for example HTTP cookies) are stored in a repository for later retrieval and manipulation of outgoing data transmission. A repository may include a database, in-memory, file system, cache, archival unit, or other storage capacity.[Para 278].); remove the one or more first cookies from the response; create one or more second cookies, wherein the one or more second cookies are associated with the application; and wherein the response comprises the one or more second cookies. (Brinskelle: For example, a security agent manipulates HTTP responses from a web application and removes the original HTTP cookies, generates acting cookies, inserts the acting cookies in place of the original cookies into the HTTP response [Para 231], wherein HTTP cookies are protected by separating cookies by client application, client application process, or client application tab [Para 241].); It is inherent that the steps of sending, caching, removing, creating, and transmitting is being performed for every requests. Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify system of Manolache with system of Brinskelle. The motivation to do so would be to achieve a more secure and resilient cookie authentication framework by providing in depth defense against unauthorized transmission of sensitive session data. In regards to claim 2, the combination of Manolache and Brinskelle teach the system of claim 1, wherein the one or more hardware processors are further configured by machine-readable instructions to: after receiving a response from the application at the second computing device, detect unauthorized access of the session information by reviewing the response for any changes to information related to the first computing device (Manolache: Specifically, cookies (which either include data about the client or has links to data about the client) received as a result of requesting a resource are analyzed to determine if the information contained therein compared to a client’s previous behavior (e.g., expected behavioral activity) is deemed anomalous [Para 21].). In regards to claim 3, the combination of Manolache and Brinskelle teach the system of claim 2, wherein the information related to the first computing device comprises at least one of a first computing device internet protocol (IP) address and first computing device browser fingerprint information (Manolache: Specifically, the data may include a client’s IP address from where the request originated from, client/session ID, client device type [Para 21].). In regards to claim 8, Manolache teaches a method for abstracting session information for an application in an identity infrastructure, the method comprising: intercepting, from a first computing device, a request to communicate with the application, wherein the intercepting occurs at a second computing device (Manolache: In other instances, a proxy may be enlisted to intercept requests (such as the third request and any subsequent requests after that) that are directed to the web server to enlist the correct services and/or servers to perform these security checks [Para 17].).; sending the request to the application from the second computing device (Manolache: The proxy may then perform one or more actions (e.g., perform a security check), using the resources of the server, to the intercepted requests prior to connecting the client computing devices 102 to a computing resource, other services, and/or websites [Para 34].) ; receiving a response from the application at the second computing device, wherein the response comprises one or more first cookies; caching the one or more first cookies; removing the one or more first cookies from the response; creating one or more second cookies, wherein the one or more second cookies are associated with the application; and transmitting the response to the first computing device from the second computing device, wherein the response comprises the one or more second cookies (Manolache: Thus, the response back to the client from the proxy 604 may either indicate that access to the resource is granted or denied [Para 51].). However, Manolache does not explicitly disclose … receiving a response from the application at the second computing device, wherein the response comprises one or more first cookies; caching the one or more first cookies; removing the one or more first cookies from the response; creating one or more second cookies, wherein the one or more second cookies are associated with the application; wherein the response comprises the one or more second cookies. But Brinskelle, in the same field of endeavor, teaches … receiving a response from the application at the second computing device, wherein the response comprises one or more first cookies(Brinskelle: For example, a security agent manipulates HTTP responses from a web application and removes the original HTTP cookies [Para 231].) ; caching the one or more first cookies (Brinskelle: In some embodiments, sensitive data (such as for example HTTP cookies) are stored in a repository for later retrieval and manipulation of outgoing data transmission. A repository may include a database, in-memory, file system, cache, archival unit, or other storage capacity.[Para 278].); removing the one or more first cookies from the response; creating one or more second cookies, wherein the one or more second cookies are associated with the application; and wherein the response comprises the one or more second cookies. (Brinskelle: For example, a security agent manipulates HTTP responses from a web application and removes the original HTTP cookies, generates acting cookies, inserts the acting cookies in place of the original cookies into the HTTP response [Para 231], wherein HTTP cookies are protected by separating cookies by client application, client application process, or client application tab [Para 241].); Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify system of Manolache with system of Brinskelle. The motivation to do so would be to achieve a more secure and resilient cookie authentication framework by providing in depth defense against unauthorized transmission of sensitive session data. In regards to claim 9, the claim recites analogous subject matter as claim 2 above. Therefore it is rejected based on the same rationale recited for claim 2 above. In regards to claim 10 the claim recites analogous subject matter as claim 3 above. Therefore it is rejected based on the same rationale recited for claim 3 above. In regards to claim 13, the claim recites analogous subject matter as claim 6 above. Therefore it is rejected based on the same rationale recited for claim 6 above. In regards to claim 16, Manolache teaches a non-transient computer-readable storage medium having instructions embodied thereon, the instructions being executable by one or more processors to perform a method for abstracting session information for an application in an identity infrastructure, the method comprising (Manolache: In an embodiment, the code is stored on a computer-readable storage medium, for example, in the form of a computer program comprising a plurality of instructions executable by one or more processors. In an embodiment, a computer-readable storage medium is a non-transitory computer-readable storage medium that excludes transitory signals) : intercepting, from a first computing device, a request to communicate with the application, wherein the intercepting occurs at a second computing device (Manolache: In other instances, a proxy may be enlisted to intercept requests (such as the third request and any subsequent requests after that) that are directed to the web server to enlist the correct services and/or servers to perform these security checks [Para 17].).; sending the request to the application from the second computing device (Manolache: The proxy may then perform one or more actions (e.g., perform a security check), using the resources of the server, to the intercepted requests prior to connecting the client computing devices 102 to a computing resource, other services, and/or websites [Para 34].) ; receiving a response from the application at the second computing device, wherein the response comprises one or more first cookies; caching the one or more first cookies; removing the one or more first cookies from the response; creating one or more second cookies, wherein the one or more second cookies are associated with the application; and transmitting the response to the first computing device from the second computing device, wherein the response comprises the one or more second cookies (Manolache: Thus, the response back to the client from the proxy 604 may either indicate that access to the resource is granted or denied [Para 51].). However, Manolache does not explicitly disclose … receiving a response from the application at the second computing device, wherein the response comprises one or more first cookies; caching the one or more first cookies; removing the one or more first cookies from the response; creating one or more second cookies, wherein the one or more second cookies are associated with the application; wherein the response comprises the one or more second cookies. But Brinskelle, in the same field of endeavor, teaches … receiving a response from the application at the second computing device, wherein the response comprises one or more first cookies(Brinskelle: For example, a security agent manipulates HTTP responses from a web application and removes the original HTTP cookies [Para 231].) ; caching the one or more first cookies (Brinskelle: In some embodiments, sensitive data (such as for example HTTP cookies) are stored in a repository for later retrieval and manipulation of outgoing data transmission. A repository may include a database, in-memory, file system, cache, archival unit, or other storage capacity.[Para 278].); removing the one or more first cookies from the response; creating one or more second cookies, wherein the one or more second cookies are associated with the application; and wherein the response comprises the one or more second cookies. (Brinskelle: For example, a security agent manipulates HTTP responses from a web application and removes the original HTTP cookies, generates acting cookies, inserts the acting cookies in place of the original cookies into the HTTP response [Para 231], wherein HTTP cookies are protected by separating cookies by client application, client application process, or client application tab [Para 241].); Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify system of Manolache with system of Brinskelle. The motivation to do so would be to achieve a more secure and resilient cookie authentication framework by providing in depth defense against unauthorized transmission of sensitive session data. In regards to claim 17, the claim recites analogous subject matter as claim 2 above. Therefore it is rejected based on the same rationale recited for claim 2 above. In regards to claim 18, the claim recites analogous subject matter as claim 3 above. Therefore it is rejected based on the same rationale recited for claim 3 above. In regards to claim 20, the claim recites analogous subject matter as claim 6 above. Therefore it is rejected based on the same rationale recited for claim 6 above. Claim(s) 4, 5, 11, 12, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Manolache et al. ( WO-2021252550-A1: hereafter Manolache) in view of Brinskelle (US-20190354709-A1: hereafter Brinskelle) as applied to claims 1,8, and 16 above, and further in view of Shrikhande (US-6721890-B1). In regards to claim 4, the combination of Manolache and Brinskelle teach the system of claim 2, wherein the one or more hardware processors are further configured by machine-readable instructions to: after detecting unauthorized access of the session information, request additional authentication information from the first computing device (Manolache: If the validator indicates that information from the cookie does not pass the security check then the proxy may return a flag (indicating denial of the request) [Para 51].) . However, the combination of Manolache and Brinskelle does not explicitly disclose … request additional authentication information from the first computing device. But Shrikhande, in a similar field of endeavor, teaches… request additional authentication information from the first computing device (Shrikhande: In this manner, the wrapper may detect a suspected unauthorized access, and may request additional authentication from the user before allowing further access [Para 14].). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify system of Manolache and Brinskelle to include requesting additional authentication information as taught by Shrikhande. The motivation to do so would be to enhance security by including more remedial actions for detecting unauthorized access. In regards to claim 5, the combination of Manolache and Brinskelle teach the system of claim 4, wherein, the request to communicate with the application comprises original authentication information (Brinskelle: In some embodiments, a security agent may help secure online communications by obfuscating sensitive data between a client and a server. Sensitive data may include HTTP cookies, session data, authentication information, authorization information, or other data sensitive in nature [Para 34].) ; and the additional authentication information comprises at least one of one or more additional factors of authentication and the original authentication information provided in the request to communicate with the application (Brinskelle: For example, for each transaction or operation the server assesses the risk and if it exceeds a threshold then the server requests re-authentication from the user. By combining security precautions, attacks may be further reduced [Para 510].). In regards to claim 11, the claim recites analogous subject matter as claim 4 above. Therefore it is rejected based on the same rationale recited for claim 4 above. In regards to claim 12, the claim recites analogous subject matter as claim 5 above. Therefore it is rejected based on the same rationale recited for claim 5 above. In regards to claim 19, the claim recites analogous subject matter as claim 4 above. Therefore it is rejected based on the same rationale recited for claim 4 above. Claim(s) 6, 14, and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Manolache et al. ( WO-2021252550-A1: hereafter Manolache) in view of Brinskelle (US-20190354709-A1: hereafter Brinskelle) as applied to claims 1,8, and 16 above, and further in view of Sathiyaseelan et al. (“A proposed system for preventing session hijacking with modified one-time cookies” :hereafter Sathiyaseelan). In regards to claims 6, and 14-15, the combination of Manolache and Brinskelle teach the system of claim 6, wherein the one or more hardware processors are further configured by machine-readable instructions to: replace the one or more second cookies with one of more third cookies; track the session with the one or more third cookies (Brinskelle: In some embodiments, a security agent protects HTTP cookies by tracking HTTP cookies with which client application, client application process, or web browser tab the cookie should be used by [Para 240]. In some embodiments, a security agent translates session id's between original session id and acting session id's [Para 244].). The combination also discloses timing out cookies after a period of time so that they can no longer be used (Brinskelle: In some embodiments, a security agent times out cookies after some period of time so they may no longer be released or used. Such embodiments may help reduce attacks by narrowing the window of time that attacks may be carried out in. For example, to reduce the possibility of theft of or release of one or more cookies, a security agent keeps track of when cookies are issued so that cookies are automatically expired after a certain time period passes, and expired cookies are no longer used [Para 239].). The combination further discloses wherein, the request to communicate with the application comprises a plurality of requests to communicate with the application (Manolache: Subsequently, in some instances, the client sends the cookie and a second request to the web server for access to the same webpage or a different webpage hosted by the web server[Para 16].) ; and the one or more second cookies are replaced with the one or more third cookies upon at least one of, a time associated with a most recent request of the plurality of requests to communicate with the application exceeds an identified time period (Brinskelle: In some embodiments, a security agent times out cookies after some period of time so they may no longer be released or used. Such embodiments may help reduce attacks by narrowing the window of time that attacks may be carried out in. For example, to reduce the possibility of theft of or release of one or more cookies, a security agent keeps track of when cookies are issued so that cookies are automatically expired after a certain time period passes, and expired cookies are no longer used [Para 239].) ; and the most recent request of the plurality of requests to communicate with the application exceeds an identified total number of requests, but does not explicitly teach… replace the one or more second cookies with one of more third cookies. But Sathiyaseelan, in the same field of endeavor, discloses a system for modifying one-time cookies that teaches… replace the one or more second cookies with one of more third cookies (Sathiyaseelan: Fig 1, The Reverse Proxy Server(RPS) creates One-Time Cookies (OTC), forward them and response to the client. Then from now on the user sends the OTC to the RPS for every request where the RPS checks OTC and again creates OTC for every new request made by the user[Steps 4-7, Page 453].) . Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify system of Manolache and Brinskelle to include replacing expired cookies with one-time cookies as taught by Sathiyaseelan. The motivation to do so would be to enhance the security of the session by preventing an attacker from gaining access to a cookie or backend server based on the temporary nature of the one-time cookie (Sathiyaseelan; Abstract). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Nasser Goodarzi whose telephone number is (571) 272-4195. The examiner can normally be reached Monday- Friday, 8:00 am - 5:00 pm EST,. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Colleen Fauz can be reached at (571) 272-1667. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /NASSER M GOODARZI/Supervisory Patent Examiner, Art Unit 2426
Read full office action

Prosecution Timeline

Jun 21, 2023
Application Filed
May 22, 2025
Non-Final Rejection mailed — §103
Jul 08, 2025
Interview Requested
Jul 17, 2025
Examiner Interview Summary
Jul 17, 2025
Applicant Interview (Telephonic)
Aug 22, 2025
Response Filed
Jul 02, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12682093
STORING AND RETRIEVING DATA BASED ON EXPERIENCE IN CATEGORIES ASSOCIATED WITH HISTORICAL INTERACTIONS
3y 8m to grant Granted Jul 14, 2026
Patent 12682262
Fault Tree Generation Device and Fault Tree Generation Method
3y 1m to grant Granted Jul 14, 2026
Patent 12619765
Existing Policy Determinations For An Identity Set
4y 1m to grant Granted May 05, 2026
Patent 12619487
CLASSIFIER VALIDATION
3y 6m to grant Granted May 05, 2026
Patent 12619686
SOFTWARE PACKAGE SHARING TO RESTRICTED LANDSCAPES
3y 0m to grant Granted May 05, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
42%
Grant Probability
53%
With Interview (+11.6%)
3y 6m (~5m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 65 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month