DETAILED ACTION
In a communication received on 15 January 2026, applicants amended claims 1, 10, and 16.
Claims 1-20 are pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 10, and 16 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 10, and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Carru (US 2019/0392017 A1) in view of Fok et al. (US 2003/0187995 A1).
With respect to claim 1, Carru discloses: a system, comprising: one or more processors; and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the computing system to perform operations (i.e., processor coupled to memory to perform program instructions in Carru, ¶0198), and
wherein the single browser instance is configured to access the plurality of applications (i.e., single signon identity system with a unified view of browser accessing multiple cloud applications with SSO flows in Carru, ¶0036-0037, ¶0214-0216);
communicating, to the user device, a redirect response comprising a query parameter to each of the plurality of applications (i.e., authentication layers redirect through the browser and provide authentication state/result as a query parameter in Carru, ¶0004, ¶0206, ¶0211);
receiving, from the user device, a browser-session synchronization cookie from each of the plurality of applications responsive to each corresponding redirect response (i.e., IDCS request cookie is stored in the browser and automatically returned to the SSO microservice after redirect, multiple cookies corresponding to the multiple requests in Carru, ¶0205, ¶0208);
generating, based on the browser-session identifier and by the negotiation algorithm, a browser-session cookie (i.e., SSO writes the ORA_OCIS cookie containing session information after reading request/session state; SSO logic may be an algorithm in Carru, ¶0208, ¶0210); and
establishing, based on the browser-session cookie, a session for the plurality of applications via the single browser instance. (i.e., Cloud Gate issues and validates session cookies for browser access to protected applications in Carru, ¶0120-0121, ¶0219, ¶0222).
Carru discloses SSO issues the session to the browser via an SSO cookie (¶0163). Carru do(es) not explicitly disclose the following. Fok, in order to improve efficiency by executing required business logic only once rather than for all threads for multiple requests (¶0075), discloses:
receiving, from a user device, a plurality of concurrent requests at a same time from a plurality of respective applications for establishing a plurality of sessions, respectively, wherein the plurality of concurrent requests originated from a single browser instance (i.e., receives multiple requests from the same client browser while earlier processing is still in flight and coordinates them server-side. in FOK, ¶0008, ¶0076);
determining, based on a plurality of browser-session synchronization cookies and by a negotiation algorithm, a browser-session identifier (i.e., uses a cookie client identifier and server table/client-context logic to associate multiple requests and choose session context in Fok, ¶0077, ¶0080).
Based on Carru in view of Fok, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Fok to improve upon those of Carru in order to improve efficiency by executing required business logic only once rather than for all threads for multiple requests.
With respect to claim 10, the limitation(s) of claim 10 are similar to those of claim(s) 1. Therefore, claim 10 is rejected with the same reasoning as claim(s) 1.
With respect to claim 16, the limitation(s) of claim 16 are similar to those of claim(s) 1. Therefore, claim 16 is rejected with the same reasoning as claim(s) 1.
Claim(s) 2, 4, 7, 9, 11, 13, 17, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Carru (US 2019/0392017 A1) in view of Fok et al. (US 2003/0187995 A1), and further in view of Gupta et al. (US 6,226,752 B1).
With respect to claim 2, Carru discloses SSO issues the session to the browser via an SSO cookie (¶0163). Carru do(es) not explicitly disclose the following. Fok, in order to improve efficiency by executing required business logic only once rather than for all threads for multiple requests (¶0075), discloses: the system of claim 1, wherein establishing the session for the plurality of applications via the single browser instance comprises:
determining the browser-session cookie matches a valid session; and (i.e., identifying the client by generated client identifier in cookie of client communications in Fok, ¶0014-0015)
Based on Carru in view of Fok, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Fok to improve upon those of Carru in order to improve efficiency by executing required business logic only once rather than for all threads for multiple requests.
Carru discloses responsive to whether user has valid SSO session or not, initiating the login ceremony or validating the existing session (¶0176). Carru and Fok do(es) not explicitly disclose the following. Gupta, in order to improve robustness such that individual applications on the server do not need logic to authenticate every response and can instead offload to the login server to authenticate the user (col. 13 lines 29-40), discloses: loading the valid session as the session to be established (i.e., determine and choose an active session based on the associated cookie in browser requests in Gupta, col. 11 lines 46-67).
Based on Carru in view of Fok, and further in view of Gupta, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Gupta to improve upon those of Carru in order to improve robustness such that individual applications on the server do not need logic to authenticate every response and can instead offload to the login server to authenticate the user.
With respect to claim 4, Carru discloses SSO issues the session to the browser via an SSO cookie (¶0163). Carru do(es) not explicitly disclose the following. Fok, in order to improve efficiency by executing required business logic only once rather than for all threads for multiple requests (¶0075), discloses: the system of claim 1, wherein the operations further comprise:
determining the plurality of concurrent requests comprise no browser-session synchronization cookies (i.e., check if request has an associated cookie corresponding to synchronization state data in Fok, ¶0077);
generating a random value for the query parameter (i.e., uniquely generates a number to identify the client of the associated session with other combined information in Fok, ¶0077)
Based on Carru in view of Fok, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Fok to improve upon those of Carru in order to improve efficiency by executing required business logic only once rather than for all threads for multiple requests.
Carru discloses responsive to whether user has valid SSO session or not, initiating the login ceremony or validating the existing session (¶0176). Fok do(es) not explicitly disclose the following. Gupta, in order to improve robustness such that individual applications on the server do not need logic to authenticate every response and can instead offload to the login server to authenticate the user (col. 13 lines 29-40), discloses:
generating a browser-session sync-parameter cookie comprising the query parameter associated with the random value (i.e., sending a redirect message with a temporary identifier conveyed in a URL parameter in Gupta, col. 12 lines 13-24); and
constructing a uniform resource locator (URL) associated with the browser-session sync-parameter cookie (i.e., application server sends redirect message with login server URL which includes the URL cookie and temporary identifier in Gupta, col. 12 lines 13-24).
Based on Carru in view of Fok, and further in view of Gupta, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Gupta to improve upon those of Carru in order to improve robustness such that individual applications on the server do not need logic to authenticate every response and can instead offload to the login server to authenticate the user.
With respect to claim 7, Carru discloses responsive to whether user has valid SSO session or not, initiating the login ceremony or validating the existing session (¶0176). Carru and Fok do(es) not explicitly disclose the following. Gupta, in order to improve robustness such that individual applications on the server do not need logic to authenticate every response and can instead offload to the login server to authenticate the user (col. 13 lines 29-40), discloses: the system of claim 1, wherein the operations further comprise:
communicating, to the user device, the browser-session cookie for the plurality of applications (i.e., determining a user has been previously authenticated using the cookie allowing application servers corresponding to the login server authenticate the user easily in Gupta, col. 12 lines 42-62).
Based on Carru in view of Fok, and further in view of Gupta, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Gupta to improve upon those of Carru in order to improve robustness such that individual applications on the server do not need logic to authenticate every response and can instead offload to the login server to authenticate the user.
With respect to claim 9, Carru discloses SSO issues the session to the browser via an SSO cookie (¶0163). Carru do(es) not explicitly disclose the following. Fok, in order to improve efficiency by executing required business logic only once rather than for all threads for multiple requests (¶0075), discloses: the system of claim 1, wherein the operations further comprise:
receiving, from the user device, one or more subsequent requests for session establishment, wherein the one or more subsequent requests comprise the browser-session identifier (i.e., subsequent requests pass the corresponding cookie in Fok, ¶0077)
Based on Carru in view of Fok, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Fok to improve upon those of Carru in order to improve efficiency by executing required business logic only once rather than for all threads for multiple requests.
Carru discloses responsive to whether user has valid SSO session or not, initiating the login ceremony or validating the existing session (¶0176). Carru and Fok do(es) not explicitly disclose the following. Gupta, in order to improve robustness such that individual applications on the server do not need logic to authenticate every response and can instead offload to the login server to authenticate the user (col. 13 lines 29-40), discloses: rejecting the one or more subsequent requests (i.e., determining the corresponding session and validity, if not valid the session may be destroyed and future requests rejected in Gupta, col. 14 lines 1-11).
Based on Carru in view of Fok, and further in view of Gupta, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Gupta to improve upon those of Carru in order to improve robustness such that individual applications on the server do not need logic to authenticate every response and can instead offload to the login server to authenticate the user.
With respect to claim 11, the limitation(s) of claim 11 are similar to those of claim(s) 2. Therefore, claim 11 is rejected with the same reasoning as claim(s) 2.
With respect to claim 13, the limitation(s) of claim 13 are similar to those of claim(s) 4. Therefore, claim 13 is rejected with the same reasoning as claim(s) 4.
With respect to claim 17, the limitation(s) of claim 17 are similar to those of claim(s) 2. Therefore, claim 17 is rejected with the same reasoning as claim(s) 2.
With respect to claim 19, the limitation(s) of claim 19 are similar to those of claim(s) 4. Therefore, claim 19 is rejected with the same reasoning as claim(s) 4.
Claim(s) 3, 5, 6, 12, 14, 15, 18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Carru (US 2019/0392017 A1) in view of Fok et al. (US 2003/0187995 A1) and Gupta et al. (US 6,226,752 B1), and further in view of Reddy et al. (US 2014/0108667 A1).
With respect to claim 3, Carru discloses responsive to whether user has valid SSO session or not, initiating the login ceremony or validating the existing session (¶0176). Fok do(es) not explicitly disclose the following. Gupta, in order to improve robustness such that individual applications on the server do not need logic to authenticate every response and can instead offload to the login server to authenticate the user (col. 13 lines 29-40), discloses: the system of claim 1, wherein the operations further comprise:
wherein determining the browser-session identifier comprises: for a first browser-session synchronization cookie of the plurality of browser-session synchronization cookies corresponding to a first concurrent request of the plurality of concurrent requests:
determining the query parameter exists on the first concurrent request (i.e., if there is no valid session the server redirects the client's request to a login server including a temporary identifier; the temporary identifier can be compared to stored temporary identifier to determine if the user attempting a request has been authenticated in Gupta, col. 12 lines 13-24, lines 62-67, and col. 13 line 1-6);
determining the first browser-session synchronization cookie is valid (i.e., validating the session token to authenticate the user corresponding to locating a session corresponding to the cookie in Gupta, col. 11 line 65 to col. 12 line 7);
determining, based on a value of the query parameter, a prior session associated with a prior request exists (i.e., determining a prior session based on the temporary identifier in Gupta, col. 12 lines 13-24, lines 62-67, and col. 13 line 1-6);
identifying, based on the value of the query parameter, a prior browser-session identifier associated with the prior request (i.e., compare received temporary identifier with stored temporary identifier to determine previous session in Gupta, col. 12 lines 13-24, lines 62-67, and col. 13 line 1-6); and
selecting the prior browser-session identifier as the browser-session identifier (i.e., a previous valid session is found and used in Gupta, col. 12 lines 41-61).
Based on Carru in view of Fok, and further in view of Gupta, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Gupta to improve upon those of Carru in order to improve robustness such that individual applications on the server do not need logic to authenticate every response and can instead offload to the login server to authenticate the user.
Carru discloses microservice creates the cookie and embeds state information to store in user's browser and sends the cookie to the SSO microservice automatically (¶0205). Fok and Gupta do(es) not explicitly disclose the following. Reddy, in order to improves portability as a server-side solution for uniquely interacting with specific browser tabs (¶0034), discloses: determining the plurality of concurrent requests comprise the plurality of browser-session synchronization cookies (i.e., a generated cookie for each open tab corresponds to unique IDs in Reddy, ¶0042-0043).
Based on Carru in view of Fok and Gupta, and further in view of Reddy, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Reddy to improve upon those of Carru in order to improves portability as a server-side solution for uniquely interacting with specific browser tabs.
With respect to claim 5, Carru discloses microservice creates the cookie and embeds state information to store in user's browser and sends the cookie to the SSO microservice automatically (¶0205). Carru, Fok, and Gupta do(es) not explicitly disclose the following. Reddy, in order to improves portability as a server-side solution for uniquely interacting with specific browser tabs (¶0034), discloses: the system of claim 4, wherein the redirect response comprises the browser-session sync-parameter cookie, and wherein the redirect response is based on the URL (i.e., browser utilizes the URL for additional requests that include the session cookie corresponding to the browser tab in Reddy, col. 12 lines 13-24).
Based on Carru in view of Fok and Gupta, and further in view of Reddy, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Reddy to improve upon those of Carru in order to improves portability as a server-side solution for uniquely interacting with specific browser tabs.
With respect to claim 6, Carru discloses SSO issues the session to the browser via an SSO cookie (¶0163). Carru do(es) not explicitly disclose the following. Fok, in order to improve efficiency by executing required business logic only once rather than for all threads for multiple requests (¶0075), discloses: the system of claim 1, wherein the operations further comprise:
extracting a browser-session identifier from a first browser-session sync-parameter cookie of the plurality of browser-session synchronization cookies (i.e., each subsequent request from the client includes the cookie allowing the tracking and identification of the source of the request corresponding to an identifier value in a cookie in Fok, ¶0080).
Based on Carru in view of Fok, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Fok to improve upon those of Carru in order to improve efficiency by executing required business logic only once rather than for all threads for multiple requests.
Carru discloses responsive to whether user has valid SSO session or not, initiating the login ceremony or validating the existing session (¶0176). Carru and Fok do(es) not explicitly disclose the following. Gupta, in order to improve robustness such that individual applications on the server do not need logic to authenticate every response and can instead offload to the login server to authenticate the user (col. 13 lines 29-40), discloses: determining, for each of the plurality of browser-session synchronization cookies, none of a respective value of the query parameter maps to a prior session (i.e., finding a session associated with a user to create, validate or invalidate user sessions in Gupta, col. 12 lines 8-12).
Based on Carru in view of Fok, and further in view of Gupta, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Gupta to improve upon those of Carru in order to improve robustness such that individual applications on the server do not need logic to authenticate every response and can instead offload to the login server to authenticate the user.
Carru discloses microservice creates the cookie and embeds state information to store in user's browser and sends the cookie to the SSO microservice automatically (¶0205). Carru, Fok, and Gupta do(es) not explicitly disclose the following. Reddy, in order to improves portability as a server-side solution for uniquely interacting with specific browser tabs (¶0034), discloses: determining the plurality of concurrent requests comprise a plurality of browser-session synchronization cookies (i.e., a rewritten URL and further request include unique session cookies corresponding to browser tabs and login requests in Reddy, ¶0010-0011).
Based on Carru in view of Fok and Gupta, and further in view of Reddy, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Reddy to improve upon those of Carru in order to improves portability as a server-side solution for uniquely interacting with specific browser tabs.
With respect to claim 12, the limitation(s) of claim 12 are similar to those of claim(s) 3. Therefore, claim 12 is rejected with the same reasoning as claim(s) 3.
With respect to claim 14, the limitation(s) of claim 14 are similar to those of claim(s) 5. Therefore, claim 14 is rejected with the same reasoning as claim(s) 5.
With respect to claim 15, the limitation(s) of claim 15 are similar to those of claim(s) 6. Therefore, claim 15 is rejected with the same reasoning as claim(s) 6.
With respect to claim 18, the limitation(s) of claim 18 are similar to those of claim(s) 3. Therefore, claim 18 is rejected with the same reasoning as claim(s) 3.
With respect to claim 20, the limitation(s) of claim 20 are similar to those of claim(s) 5. Therefore, claim 20 is rejected with the same reasoning as claim(s) 5.
Claim(s) 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Carru (US 2019/0392017 A1) in view of Fok et al. (US 2003/0187995 A1), and further in view of Masurkar (US 7,730,523 B1).
With respect to claim 8, Carru discloses responsive to whether user has valid SSO session or not, initiating the login ceremony or validating the existing session (¶0176). Carru and Fok do(es) not explicitly disclose the following. Masurkar, in order to improve integrity, diagnosability and comparability of state for client and server (col. 22 lines 49-59), discloses: the system of claim 1, wherein the operations further comprise:
generating, for the browser-session cookie, at least one of a hash-based message authentication code or a digital signature (i.e., HMAC added to every cookie string for more privacy in Masurkar, col. 22 lines 49-59).
Based on Carru in view of Fok, and further in view of Masurkar, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Masurkar to improve upon those of Carru in order to improve integrity, diagnosability and comparability of state for client and server.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHERMAN L LIN whose telephone number is (571)270-7446. The examiner can normally be reached Monday through Friday 9:00 AM - 5:00 PM (Eastern).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon Hwang can be reached at 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Sherman Lin
5/23/2026
/S. L./Examiner, Art Unit 2447
/JOON H HWANG/Supervisory Patent Examiner, Art Unit 2447