EXAMINER’S AMENDMENT 

Authority for the following examiner’s amendment was provided by Applicant’s representative, Bruce Rubenstein, on 2/12/2021. 
Please make the following changes to the claims filed on 12/14/2020: 

1.	(Currently amended) A method of maintaining user sessions across multiple web applications, the method comprising:
receiving, by a first web application running on a first server, a cross-application request from a client application running on a client device, the cross-application request indicating a user action to access a second web application, the second web application running on a second server;
sending, by the first web application in response to receiving the cross-application request, a single-use password to the client application; 
receiving, by the first web application, a session request from the second web application via a web server running on the second server, the session request including the single-use password as received by the second web application from the client application via the web server; and
in response to receiving the session request, sending, by the first web application, session data to the second web application, the session data (i) pertaining to a session previously established between the client application and the first web application and (ii) enabling the second web application to participate in the session with the client application,
wherein the method further comprises the first server generating the single-use password in response to the first web application receiving the cross-application request, the first server generating the single-use password with a predefined expiration period, wherein the first web application is configured to treat the single-use password as invalid after the expiration period has elapsed, and wherein the session data as sent to the second web application includes a list of allowed operations that the user is permitted to perform, such that the second web application restricts activities of the user to those included in the list of allowed operations. 

2.	(Canceled) 

3.	(Currently amended) The method of claim 1 [[2]], further comprising, prior to the first server receiving the cross-application request:
creating the session data upon establishing the session with the client application and after successfully authenticating a user of the client application;
assigning a session key to the session data, the session key uniquely identifying the session data for the session from among other session data for other sessions; and
sending the session key to the client application.

4.	(Original) The method of claim 3, wherein the session key is a random or pseudorandom value.

5.	(Original) The method of claim 3, wherein the cross-application request received from the client device includes the session key as previously sent to the client application.

6.	(Original) The method of claim 5, further comprising, after establishing the session with the client application and prior to receiving the cross-application request, sending a web page to the client device to be rendered by the client application, the web page including a user control configured to issue the cross-application request when operated by the user. 

7.	(Original) The method of claim 5, wherein the session request received from the second web application further includes a service secret that identifies the second web 

8.	(Original) The method of claim 7, further comprising, when sending the session data to the second web application, also sending the session key to the second web application.

9.	(Canceled)

10.	(Currently amended) A method of maintaining user sessions across multiple web applications, the method comprising:
receiving, by a first web application running on a first server, a cross-application request from a client application running on a client device, the cross-application request indicating a user action to access a second web application, the second web application running on a second server;
sending, by the first web application in response to receiving the cross-application request, a single-use password to the client application; 
receiving, by the second web application via a web server running on the second server, an access request from the client application, the access request including the single-use password;
sending, by the second web application via the web server, a session request to the first web application, the session request including the single-use password as received by the second web application in the access request; and
in response to receiving the session request, sending, by the first web application, session data to the second web application, the session data pertaining to a session previously established between the client application and the first web application, the second web application then participating in the session with the client application,
wherein the method further comprises the first server generating the single-use password in response to the first web application receiving the cross-application request, the first server generating the single-use password with a predefined expiration period, wherein the first web application is configured to treat the single-use password as invalid after the expiration period has elapsed, and wherein the session data as sent to the second web application includes a list of allowed operations that the user is permitted to perform, such that the second web application restricts activities of the user to those included in the list of allowed operations. 

11.	(Original) The method of claim 10, wherein the first web application and the second web application are hosted from different Internet domains.

12.	(Original) The method of claim 11, wherein participating in the session with the client application includes the second web application sending content to the client application within the session.

13.	(Original) The method of claim 12, further comprising the first web application successfully authenticating a user of the client application and providing an indication of successful authentication of the user in the session data,
wherein sending the content to the client application is performed based on the successful authentication of the user by the first web application and without requiring additional authentication of the user by the second web application.

14.	(Currently amended) A computer program product including a set of non-transitory, computer-readable media having instructions which, when executed by control circuitry of a first server, cause the control circuitry to perform a method for maintaining user sessions across multiple web applications, the method comprising:

sending, by the first web application in response to receiving the cross-application request, a single-use password to the client application; 
receiving, by the first web application, a session request from the second web application via a web server running on the second server, the session request including the single-use password as received by the second web application from the client application via the web server; and
in response to receiving the session request, sending, by the first web application, session data to the second web application, the session data (i) pertaining to a session previously established between the client application and the first web application and (ii) enabling the second web application to participate in the session with the client application,
wherein the method further comprises the first server generating the single-use password in response to the first web application receiving the cross-application request, the first server generating the single-use password with a predefined expiration period, wherein the first web application is configured to treat the single-use password as invalid after the expiration period has elapsed, and wherein the session data as sent to the second web application includes a list of allowed operations that the user is permitted to perform, such that the second web application restricts activities of the user to those included in the list of allowed operations.

15.	(Canceled)

16.	(Currently amended) The computer program product of claim 14 [[15]], wherein the method further comprises, prior to the first server receiving the cross-application request:

assigning a session key to the session data, the session key uniquely identifying the session data for the session from among other session data for other sessions; and
sending the session key to the client application.

17.	(Original) The computer program product of claim 16, wherein the cross-application request received from the client device includes the session key as previously sent to the client application.

18.	(Original) The computer program product of claim 17, wherein the method further comprises, after establishing the session with the client application and prior to receiving the cross-application request, sending a web page to the client device to be rendered by the client application, the web page including a user control configured to issue the cross-application request when operated by the user. 

19.	(Original) The computer program product of claim 17, wherein the session request received from the second web application further includes a service secret that identifies the second web application as trusted, and wherein sending the session data to the second web application is performed only after the first web application confirms that the service secret as received from the second web application is valid.

20.	(Original) The computer program product of claim 19, wherein the method further comprises, when sending the session data to the second web application, also sending the session key to the second web application. 

21.	(Previously presented) The method of claim 1, further comprising, after establishing the session with the client application and prior to receiving the cross-application request, 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Andrew Georgandellis whose telephone number is 571-270-3991.  The examiner can normally be reached on Monday through Friday, 7:30-5:00 PM EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Tonia Dollinger, can be reached on 571-272-4170.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ANDREW C GEORGANDELLIS/Primary Examiner, Art Unit 2459