DETAILED ACTION
This action is in response to an amendment filed 4/14/2021 and an Examiner’s interview conducted 5/05/2021.  Claims 1, 14 and 18 were amended via the amendment.  Claims 6 and 16 were cancelled.  New claims 21-22 were added.  Claims 1-5, 7-15 and 17-22 are pending and are examined.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below.  Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee. 
Authorization for this Examiner’s amendment was given in a telephone interview with Michael E. Carmen on 5/05/2021.
Claims 1, 10, 14 and 18 are amended.  Claims 12 and 22 are cancelled.  New claims 23 and 24 are added. This application has been amended as follows:

  (Currently amended) An apparatus comprising:
	at least one processing device comprising a processor coupled to a memory;
	the processing device implementing an authentication server configured to communicate with one or more client devices over a network;
	wherein the authentication server is further configured:
	responsive to a successful login to a user account by a client device, to provide the client device with a login cookie for the user account for utilization in one or , wherein the authentication server digitally signs the login cookie before providing the login cookie to the client device;
	to initialize a cookie-specific counter for the login cookie;
	to increment the cookie-specific counter for each of one or more unsuccessful logins to the user account made utilizing the login cookie; and
	responsive to the cookie-specific counter reaching a specified value, to lock the user account for any subsequent logins to the user account made utilizing the login cookie; and
wherein the authentication server is further configured:
to maintain a non-cookie counter of unsuccessful logins for the user account that are made without utilizing a login cookie; 
to reset the non-cookie counter responsive to a successful login attempt made without utilizing a login cookie; and
responsive to the non-cookie counter reaching a specified value, to lock the user account for any subsequent logins made without utilizing a login cookie.

  (Original) The apparatus of claim 1 wherein the authentication server is further configured to reset the cookie-specific counter responsive to a successful login to the user account made utilizing the login cookie.

  (Original) The apparatus of claim 1 wherein the authentication server is further configured to provide a plurality of distinct login cookies for the user account responsive to respective successful logins to the user account made without utilizing a login cookie.
  (Original) The apparatus of claim 3 wherein the authentication server is further configured to maintain for each of the login cookies a distinct cookie-specific counter indicating a number of unsuccessful logins to the user account made utilizing the corresponding login cookie.

  (Original) The apparatus of claim 3 wherein at least a subset of the successful logins for which the distinct login cookies are provided are made from respective different client devices or from respective different browsers on the same client device.

  (Canceled) 

  (Original) The apparatus of claim 1 wherein the authentication server is further configured:
	to receive the login cookie in conjunction with a subsequent login; and
	to permit the subsequent login to proceed responsive to the cookie-specific counter for the login cookie being below the specified value.

  (Original) The apparatus of claim 7 wherein the authentication server is further configured:
	responsive to the subsequent login being successful, to reset the cookie-specific counter.

  (Original) The apparatus of claim 1 wherein the login cookie comprises account information for the user account and a distinct cookie number.  

  (Currently amended) An [[The]] apparatus comprising:
	at least one processing device comprising a processor coupled to a memory;
	the processing device implementing an authentication server configured to communicate with one or more client devices over a network;
	wherein the authentication server is further configured:
	responsive to a successful login to a user account by a client device, to provide the client device with a login cookie for the user account for utilization in one or more subsequent logins to the user account, wherein the authentication server s integrity check information for the login cookie and s the integrity check information to the client device as part of the login cookie, being generated utilizing a secret key of the authentication server;
	to initialize a cookie-specific counter for the login cookie;
to increment the cookie-specific counter for each of one or more unsuccessful logins to the user account made utilizing the login cookie; and
	responsive to the cookie-specific counter reaching a specified value, to lock the user account for any subsequent logins to the user account made utilizing the login cookie; and 
wherein the authentication server is further configured:
to maintain a non-cookie counter of unsuccessful logins for the user account that are made without utilizing a login cookie; 
to reset the non-cookie counter responsive to a successful login attempt made without utilizing a login cookie; and
responsive to the non-cookie counter reaching a specified value, to lock the user account for any subsequent logins made without utilizing a login cookie.  

  (Original) The apparatus of claim 10 wherein the integrity check information is generated as a keyed hash function of content of the login cookie and wherein the keyed hash function utilizes the secret key of the authentication server.  

  (Canceled) 

  (Original) The apparatus of claim 1 wherein the authentication server is further configured to authenticate the login cookie in conjunction with a subsequent login to the user account made utilizing the login cookie.

  (Currently amended) A method comprising:
	responsive to a successful login to a user account by a client device, providing the client device with a login cookie for the user account for utilization in one or more subsequent logins to the user account;
	initializing a cookie-specific counter for the login cookie;
	incrementing the cookie-specific counter for each of one or more unsuccessful logins to the user account made utilizing the login cookie; and

	wherein the method is performed by an authentication server implemented by at least one processing device comprising a processor coupled to a memory; and
wherein the authentication server:
digitally signs the login cookie before providing the login cookie to the client device;
maintains a non-cookie counter of unsuccessful login attempts for the user account that are made without utilizing a login cookie;
resets the non-cookie counter responsive to a successful login attempt made without utilizing the login cookie; and
responsive to the non-cookie counter reaching a specified value, locks the user account for any subsequent logins made without utilizing a login cookie.  

  (Original) The method of claim 14 wherein the authentication server provides a plurality of distinct login cookies for the user account responsive to respective successful logins to the user account made without utilizing a login cookie and maintains for the plurality of login cookies respective distinct cookie-specific counters each indicating a number of unsuccessful logins to the user account made utilizing the corresponding login cookie.

  (Canceled) 

  (Original) The method of claim 14 wherein the authentication server:
	receives the login cookie in conjunction with a subsequent login; 
	permits the subsequent login to proceed responsive to the cookie-specific counter for the login cookie being below the specified value; and
	responsive to the subsequent login being successful, resets the cookie-specific counter.

  (Currently amended) A computer program product comprising a non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes an authentication server implemented by said at least one processing device:
	responsive to a successful login to a user account by a client device, to provide the client device with a login cookie for the user account for utilization in one or more subsequent logins to the user account, wherein the authentication server digitally signs the login cookie before providing the login cookie to the client device;
	to initialize a cookie-specific counter for the login cookie;
	to increment the cookie-specific counter for each of one or more unsuccessful logins to the user account made utilizing the login cookie; and
	responsive to the cookie-specific counter reaching a specified value, to lock the user account for any subsequent logins to the user account made utilizing the login cookie;
wherein the program code when executed by said at least one processing device further causes the authentication server:
to maintain a non-cookie counter of unsuccessful login attempts for the user account that are made without utilizing a login cookie;
to reset the non-cookie counter responsive to a successful login attempt made without utilizing the login cookie; and
responsive to the non-cookie counter reaching a specified value, to lock the user account for any subsequent logins made without utilizing a login cookie.
 
  (Original) The computer program product of claim 18 wherein the authentication server provides a plurality of distinct login cookies for the user account responsive to respective successful logins to the user account made without utilizing a login cookie and maintains for the plurality of login cookies respective distinct cookie-specific counters each indicating a number of unsuccessful logins to the user account made utilizing the corresponding login cookie.

  (Original) The computer program product of claim 18 wherein the authentication server:
	receives the login cookie in conjunction with a subsequent login; 
	permits the subsequent login to proceed responsive to the cookie-specific counter for the login cookie being below the specified value; and
	responsive to the subsequent login being successful, resets the cookie-specific counter.

21.  (Previously presented)  The computer program product of claim 18 wherein the authentication server generates integrity check information for the login cookie and provides the integrity check information to the client device as part of the login cookie wherein the integrity check information is generated utilizing a secret key of the authentication server.  

22.  (Canceled)  

23.  (New)  The method of claim 14 wherein the authentication server generates integrity check information for the login cookie and provides the integrity check information to the client device as part of the login cookie wherein the integrity check information is generated utilizing a secret key of the authentication server.  

24.  (New)  The apparatus of claim 1 wherein the authentication server is further configured to generate integrity check information for the login cookie and to provide the 


Response to Argument
Applicant’s amendment, filed 4/14/2021, to claims 1, 14 and 18 cancelling the claim term “potential” is sufficient to overcome the rejection of the aforementioned claims under 112, second paragraph, for containing indefinite language.  Accordingly, the rejection of claims 1, 14 and 18 under 112, second paragraph, is withdrawn.
The Examiner’s amendments herein and Applicant’s arguments in pages 7-11 of the Remarks, filed 4/14/2021, and, with respect to Claims 1-11 and 13-20 as being rejected under 35 U.S.C. 103 as being unpatentable over Glassman (US 2003/0149900) in view of Fort (US 2011/0314290) and Claim 12 as being rejected under 35 U.S.C. 103 as being unpatentable over Glassman (US 2003/0149900) in view of Fort (US 2011/0314290), as applied to claim 1, further in view of Pike (US 8,850,520), have been fully considered and, together with the newly amended claim limitations, are found persuasive.  These rejections have been withdrawn.

Allowable Subject Matter
Claims 1-5, 7-11, 13-15, 17-21 and 23-24 are allowed in light of the Examiner’s amendments herein, Applicant’s arguments and in light of the prior art made of record.

Reasons for Allowance
The following is an examiner’s statement for reasons for allowance:

Newly amended independent claims 1, 10, 14 and 18 are allowed because the closest identified prior art Glassman (US 2003/0149900) and Fort (US 2011/0314290), alone or in combination, fails to anticipate or render obvious the claimed invention.
Glassman (prior art on the record) teaches a system for giving users with below a threshold number of failed logins made using a cookie preferential treatment.  Each time a user attempts to login without a login cookie, a login cookie is generated for the user.  The login cookie contains an invalid login count entry which counts the number of invalid logins.  If the invalid login count entry exceeds a threshold number of failed logins, then the cookie is downgraded to a second class cookie.  The login cookie may also contain an IP address identifier, password identifier, account identifier entry, and login cookie identifier.  The login cookie identifier may be generated from hashing a nonce and a validity stamp with a secret code known only to the server.  The system also tracks invalid login attempts for one or more attributes of such attempts including a login cookie, an IP address, an account user name, and a password.  If any of the counts exceed a defined limit, the system determines that an attack is under way and slows down the rate at which login attempts made using second-class login cookies are processed.
Fort (prior art on the record) teaches a method for blocking a user account against subsequent login attempts after a number of failed login attempts exceeds a number of trials permitted for login.  The method comprises storing an authentication 
None of the prior art of record cited above, or in the newly filed information disclosure statements, teaches all the combination of non-obvious features of claims 1, 14 and 18 of the present invention: 
“responsive to a successful login to a user account by a client device, providing the client device with a login cookie for the user account for utilization in one or more subsequent logins to the user account; initializing a cookie-specific counter for the login cookie; incrementing the cookie-specific counter for each of one or more unsuccessful logins to the user account made utilizing the login cookie; and responsive to the cookie-specific counter reaching a specified value, locking the user account for any subsequent logins to the user account made utilizing the login cookie;”
“wherein the method is performed by an authentication server implemented by at least one processing device comprising a processor coupled to a memory; and wherein the authentication server: digitally signs the login cookie before providing the login cookie to the client device; maintains a non-cookie counter of unsuccessful login attempts for the user account that are made without utilizing a login cookie; resets the non-cookie counter responsive to a successful login attempt made without utilizing the login cookie; and responsive to the non-cookie counter reaching a specified value, locks the user account for any subsequent logins made without utilizing a login cookie.”
None of the prior art of record cited above, or in the newly filed information disclosure statements, teaches all the combination of non-obvious features of claim 10 of the present invention: 
“responsive to a successful login to a user account by a client device, to provide the client device with a login cookie for the user account for utilization in one or more subsequent logins to the user account, wherein the authentication generates integrity 
“wherein the authentication server is further configured: to maintain a non-cookie counter of unsuccessful logins for the user account that are made without utilizing a login cookie; to reset the non-cookie counter responsive to a successful login attempt made without utilizing a login cookie; and responsive to the non-cookie counter reaching a specified value, to lock the user account for any subsequent logins made without utilizing a login cookie.”

None of the prior art of record, either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.

Conclusion
Therefore, claims 1-5, 7-11, 13-15, 17-21 and 23-24 are hereby allowed in view of applicant’s persuasive arguments and in light of amendment to the claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should be preferably accompany the issue fee.  Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 571-272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHARON S LYNCH/Primary Examiner, Art Unit 2438