DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Information Disclosure Statement
No information disclosure statement(s) (IDS) was filed before the mailing date of this office action.  Accordingly, no information disclosure statement is being considered by the examiner. 
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1-4, 7-8, 10, 13-18, 21-23 and 25 are rejected under 35 U.S.C. 102(a)(1)(a)(2) as being anticipated by USPAT No. 10,225,255 B1 to Jampani et al. (hereinafter “Jampani”)
Regarding claim 1:
Jampani discloses:
A method (col 11, line 60: “… a data processing method …”) comprising: 
receiving, by a client (see Fig. 2, Client Computer 299) via a device (see Fig. 2, Intermediary Computer 230), an authentication cookie (col 14, line 27: “… a credential cookie …”) for access to a server (see Fig. 2, Web Infrastructure 205), the device maintaining a sequence number (col 19, line 60: “… a seed value …”) and a cryptographic secret (col 22, line 54: “… a secret key …”) (col 14, lines 36-38: “Credential-cookie instructions may comprise, and/or be included in, … credential-morphing instructions.”, col 16, lines 3-6: “… the intermediary computer sends … the credential morphing-instructions to the client computer.”, col 14, lines 46-48: “A browser and/or a bot may parse the credential-cookie instructions … and generate a credential cookie …”, col 22, lines 41-52: ” Credential validation module 340 may comprise a deterministic pseudo-random number generator … a deterministic pseudo-random number generator may generate a first number in response to a first seed and a second number in response to a second seed, and the first number and the second number may be different.”); 
generating, by the client using the cryptographic secret and a cookie engine (col 4, lines 38-39: “… a browser includes a JavaScript parser or JavaScript execution engine …”, see Fig. 2, Client Computer 299 runs Browser 295), validation cookie information with an updated sequence number (Abstract: “… send, to the client computer, the first challenge credential …”, col 24, lines 49-51: “The first challenge credential comprises a first timestamp … and a secret key …”, col 20, lines 10-15: “… the client computer generates a new credential based on the seed or a previous credential … browser 295 may execute one or more credential-morphing instructions, which may be configured to generate a valid credential based on a seed received from intermediary computer 230.”); and 
sending, by the client to the device via a hypertext transfer protocol (HTTP) message (col 7, lines 16-17: “ Intermediary computer 230 may be an HTTP or SPDY intermediary …”), the authentication cookie, and the validation cookie information with the updated sequence number (col 20, lines 12-15: “… browser 295 may execute one or more credential-morphing instructions, which may be configured to generate a valid credential based on a seed received from intermediary computer 230.”) to validate the authentication cookie (col 25, lines 39-44: “… forward transformer 336 may send, to browser 295 through protocol server module 338 … the first set of modified instructions … which when executed by a browser generate the first challenge-response credential pair stored in one or more credential cookies.”, col 25, lines 54-59: “… browser 295 may generate a request based on the particular link and include the first challenge credential and/or the first response credential in the first challenge-response credential pair. Credential validation module 340 may receive the request through protocol server module 338.”, col 25, lines 60-62: “… the intermediary computer may determine whether the challenge-response credential pair … is valid.”).  
Regarding claim 2:
Jampani discloses:
The method of claim 1, comprising: 
accessing, by the client, executable code of the cookie engine via a prior HTTP message from the device (col 16, lines 31-37: “… browser 295 may parse and/or execute the credential-morphing instructions using JavaScript parser 114 and JavaScript execution environment 120 to send a request for a new credential to intermediary computer 230. If browser 295 has already received and/or generated a credential, then browser 295 may send one or more of the previously received and/or generated credential in the request.”).  
Regarding claim 3:
Jampani discloses:
The method of claim 2, wherein generating the validation cookie information comprises: 
modifying, by the client using the cryptographic secret and the cookie engine, a cookie generated by the device, into the validation cookie information which comprises a validation cookie (col 16, lines 3-12: “… the intermediary computer sends the second set of instructions, which comprise the modified instructions and the credential morphing-instructions to the client computer. For example, forward transformer 336 may send the modified instructions in step 420 and the credential-morphing instructions in step 430 to browser 295. … the client computer parses and/or executes the credential-morphing instructions and updates the credential over time.”).  
Regarding claim 4:
Jampani discloses:
The method of claim 2, wherein generating the validation cookie information comprises: 
generating, by the client using the cryptographic secret and the cookie engine, the validation cookie information which comprises a validation cookie (col 16, lines 31-37: “… browser 295 may parse and/or execute the credential-morphing instructions using JavaScript parser 114 and JavaScript execution environment 120 to send a request for a new credential to intermediary computer 230. If browser 295 has already received and/or generated a credential, then browser 295 may send one or more of the previously received and/or generated credential in the request.”).  
Regarding claim 7:
Jampani discloses:  
The method of claim 1, comprising: 
generating, by the client using the cryptographic secret and the cookie engine, at each of a plurality of time instances, a respective validation cookie information with a respective updated sequence number (col 20, lines 18-27: “… over time, browser 295 may execute the credential-morphing instructions again to generate a new valid credential based on one or more previously generated valid credentials and/or seeds. … Updating a Credential Over Time … the credential morphing-instructions may define a time period, after which a browser should request, receive, generate, and/or update a new credential …”).  
Regarding claim 8:
Jampani discloses:
The method of claim 1, comprising: 
detecting, by a browser feature of the client, that the HTTP message is to be sent (col 25, lines 52-54: “Browser 295 may receive input indicating that a user selected a particular link in the web page sent to browser 295 in step 750.”); and 
generating, by the client responsive to the detection, the validation cookie information with the updated sequence number (col 25, lines 54-59: “In response, browser 295 may generate a request based on the particular link and include the first challenge credential and/or the first response credential in the first challenge-response credential pair. Credential validation module 340 may receive the request through protocol server module 338.”).  
Regarding claim 10:
Jampani discloses: 
The method of claim 1, comprising: 
storing, by the client, the updated sequence number in a local storage (col 16, lines 15-16: “… the credential may be stored in storage on a client computer …”, col 20, lines 10-11: “… the client computer generates a new credential based on the seed …”); and 
accessing, by the client after a page refresh (col 15, line 24: “… browser 295 calling an “onload” page event and/or callback.”), the updated sequence number from the local storage (col 15, lines 22-26: “… dynamic-credential instructions may be configured to be executed, at least partially, in response to browser 295 calling an “onload” page event and/or callback. … dynamic-credential instructions may comprise one or more credential-morphing instructions.”, col 20, lines 18-21: “… browser 295 may execute the credential-morphing instructions again to generate a new valid credential based on one or more previously generated valid credentials and/or seeds.”).  
Regarding claim 13:
Jampani discloses:
The method of claim 1, comprising: 
causing the device to remove the validation cookie information from the HTTP message and to communicate the HTTP message with the authentication cookie to the server, responsive to successful validation of the authentication cookie (col 20, lines 41-49: “In step 470, the intermediary computer determines whether the request is valid by determining if the credential included in the request, if any, is valid. … If credential validation module 340 determines the credential is valid, then control passes to step 490.”, col 21, lines 20-28: “In step 490, the intermediary computer forwards the request for data to the server computer. … Reverse transformer 342 may strip out data relating to the credential and produce a new request that would have been generated by browser 295 had the original instructions been received by browser 295. Reverse transformer 342 may send the new request to web infrastructure 205 through protocol client module 332.”).  
Regarding claim 14:
Jampani discloses:
The method of claim 1, wherein the device is intermediary between the client and the server (col 6, lines 27-29: “Referring first to FIG. 2, system 200 includes web infrastructure 205, client computer 299, intermediary computer 230 …”, see Fig.2, Intermediary Computer 230). 
Regarding claim 15:
Jampani discloses:
A client (col 29, lines 27-28: “… a computer system 800 …”), comprising: 
at least one processor (col 29, line 31: “… a hardware processor 804 …”) configured to:
In addition to the above limitations, claim 15 substantially recites the same limitations as claim 1 in the form of a client to realize the corresponding method, therefore it is rejected by the same rationale.
Regarding claims 16-18 and 21:
Claims 16-18 and 21 substantially recite the same limitations as claims 2-4 and 7, respectively, in the form of a client to realize the corresponding method, therefore they are rejected by the same rationale.
Regarding claim 22 and 25:
Claims 22 and 25 substantially recite the same limitations as claims 1 and 13, respectively, in the form of a method sending an authentication cookie, therefore they are rejected by the same rationale.
Regarding claim 23:
Jampani discloses:
The method of claim 22, comprising: 
injecting, by the device, executable code of the cookie engine into another HTTP message (col 21, lines 37-41: “… an intermediary computer may be configured to inject one or more challenge-response credential pairs into one or more instructions that define a web page, a portion of a web page, and/or data to be included in a web page …”); and 
sending, by the device, the another HTTP message to the client (col 21, lines 41-43: “… and send the one or more instructions with the one or more challenge-response credential pairs to a client computer.”).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 5 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Jampani and further in view of US-PGPUB No. 2011/0154464 A1 to Agarwal et al. (hereinafter “Agarwal”)
Regarding claim 5:
Jampani discloses the method of claim 1, but does not disclose the following limitation taught by Agarwal: 
wherein the HTTP message comprises a HTTP GET message, a HTTP INFO message, or a HTTP HEAD message (Agarwal, ¶234: “… the device may use HTTP GET method …”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Jampani to incorporate the functionality of the device to post messages using the HTTP GET method, as disclosed by Agarwal, such modification would allow the system to exchange non-sensitive information using the HTTP GET message which is faster than the POST method because the values are included in the header than the body.
Regarding claim 19:
Claim 19 substantially recites the same limitation as claim 5, in the form of a client to realize the corresponding method, therefore it is rejected by the same rationale. 
Claims 6, 11-12 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Jampani and further in view of US-PGPUB No. 2010/0306538 A1 to Thomas et al. (hereinafter “Thomas”)
Regarding claim 6:
Jampani discloses the method of claim 1, but does not disclose the following limitation taught by Thomas: 
wherein generating the validation cookie information with the updated sequence number comprises: 
incrementing, by the client, the sequence number by a defined value (Thomas, ¶51: “The host device 300 may then increment the sequence number (N) for the host device send packets (or N.sub.H.sub.--send) 332 …”, see FIG. 3B, step 332, Increment Host Device sequence number for send packets (NH-send=N+1)).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Jampani to incorporate the functionality of the host device to increment the sequence number by a defined value, as disclosed by Thomas, such modification would allow the system to get a new sequence number by just incrementing the existing sequence number by a defined value, thus avoiding the overhead of generating a new sequence number.
Regarding claim 11:
Jampani discloses:
The method of claim 1 wherein the cookie engine is pre-installed on the client (col 4, lines 38-39: “… a browser includes a JavaScript parser or JavaScript execution engine …”, see Fig. 2, Browser 295 runs on Client Computer 299), and generating the validation cookie information comprises: 
receiving, by the client, a validation cookie and the sequence number from the device (col 19, lines 42-44: “… credential validation module 340 may send the credential to browser 295 through protocol server module 338.”, col 20, lines 7-8: “… the intermediary computer sends the seed value to the client computer.”); and 
However, Jampani does not disclose the following limitation taught by Thomas:
obtaining, by the client using the cookie engine, a hash-based message authentication code (HMAC) of the validation cookie and the sequence number (Thomas, ¶47: “The accessory device 302 may … send a key pairing message 318 to the host device 300. The key pairing message may include the incremented sequence number … and a keyed-hash message authentication code (HMAC) over the entire message …”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Jampani to incorporate the functionalities of the accessory device to send HMAC and the host device to obtain the HMAC with the incremented sequence number, as disclosed by Thomas, such modification would allow the system to authenticate and verify data is correct without the use of signatures and asymmetric cryptography.
Regarding claim 12:
The combination of Jampani and Thomas disclose:
The method of claim 11, comprising: 
obtaining, by the client, the updated sequence number by incrementing the sequence number (Thomas, ¶51: “The host device 300 may then increment the sequence number (N) for the host device send packets ...332 and may send a key verification message to the accessory device 302.”); and 
causing the device to validate the HMAC and the updated sequence number (Thomas, ¶52: “… the accessory device 302 validates the sequence number … and the HMAC 336.”). 
The same motivation which is applied to claim 11 applies to claim 12.
Regarding claim 20:
Claim 19 substantially recites the same limitation as claim 5, in the form of a client to realize the corresponding method, therefore it is rejected by the same rationale. 
Claims 9 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Jampani, Thomas and further in view of US-PGPUB No. 2014/0259109 A1 to Houston et al. (hereinafter “Houston”)
Regarding claim 9:
Jampani discloses the method of claim 1, but fails to disclose the following limitation taught by Thomas:  
generating, by the client upon the redirect, the validation cookie information with the updated sequence number (Thomas, ¶54: “The host device 300 may then increment the sequence number (N) for the host device send packets … 332 and may send a key verification message 334 to the accessory device 302. The key verification message may include the incremented sequence number, the host device identifier, the accessory device identifier, and a keyed-hash message authentication code (HMAC) over the entire message using the authentication key.”).
The same motivation which is applied to claim 6, applies to claim 9 in relation to the above limitation disclosed by Thomas.
However, the combination of Jampani and Thomas fails to disclose the following limitations taught by Houston:
initiating, by the client, a new secure connection (Houston, ¶78: “… the enhanced services network may send a redirect message to the client that directs the client to initiate a subsequent request for a connection on port 443 of the server system hosting the network resource.”); and 
receiving, by the client responsive to the new secure connection, a redirect from the device to the client (Houston, ¶80: “In a scenario where a connection has already been established to the network resource for the client with a server system hosting the network resource, the resource-side edge server may redirect the client or otherwise transition the client to a more secure connection");  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Jampani and Thomas to incorporate the functionalities of the enhanced services network to send a redirect message to the client that directs the client to request a connection on a secured port, as disclosed by Houston, such modification would allow the system to either redirect the client to a new secure connection or allow it connect to a secured HTTP (HTTPS) through port 443.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Follows et al. (US-PGPUB No. 2010/0306547-A1)- disclosed a gateway server which interoperates with client and remote server systems to provide stateless security management for a distributed Web application.
Giles et al. (US-PGPUB No 2002/0169961-A1)- disclosed methods and apparatus for enabling access to restricted information contained at a semi-trusted web-server. 
Koottayi et al. (US-PGPUB No. 2020/0007531-A1)- disclosed access control techniques for seamless transition between world wide web (WEB) resource access and application programming interface (API) resource access on an enterprise network with security restrictions.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491                                                                                                                                                                                                   
/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491