DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 21 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10,798,080. Although the claims at issue are not identical, they are not patentably distinct from each other because claim 21 is generic to all that is recited in claim 1 of U.S. Patent No. 10,798,080. That is, claim 1 of U.S. Patent No. 10,798,080 falls entirely within the scope of claim 21 or, in other words, claim 21 is anticipated by claim 1 of U.S. Patent No. 10,798,080. Specifically, claim 1 of U.S. Patent No. 10,798,080 essentially recites A method for authenticating users in a communication network, the method comprising (“A method for authenticating users in a communication network, the method comprising”): 
generating an identification token in response to a user terminal loading a web page from a web server, wherein (“generating an identification token in response to a user terminal loading a web page from a web server, wherein”): 
the identification token is associated with a time stamp indicating when a network address is used by the user terminal (“the identification token comprises a network address associated with a time stamp indicating when the network address is used by the user terminal”); and 
generating the identification token is triggered in response to a request from the user terminal to load the web page (“generating the identification token is triggered by the web server, wherein the triggering is in response to a request from the user terminal to load the web page”); 
obtaining user authentication information associated with the network address and the time stamp (“obtaining user authentication information associated with the network address and the time stamp”); and 
sending the user authentication information to one or both of the user terminal and the web server for authenticating the user of the communication network (“sending the user authentication information to the user terminal or to the web server for authenticating the user of the communication network”).

Similarly, the following claims are rejected on the ground of nonstatutory double patenting as being unpatentable over the following corresponding claims of U.S. Patent No. 10,798,080.
Claims of the Instant Application
Claims of U.S. Patent No. 10,798,080
Claims of the Instant Application
Claims of U.S. Patent No. 10,798,080
21
1
32
11
     22
2
33
12
24
3
35
13
25
4
36
14
26
5
37
15
27
6
38
18
28
7
39
16
29
8
40
17
30
9
41
19
31
10




	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 21, 23, 27-29, 32, 34, 38 and 39 are rejected under 35 U.S.C. 103 as being unpatentable over Lee (US 2017/0078285), further in view of Chen (US 2016/0021201), and further in view of Sampath (US 6,266,774).

Regarding claims 21 and 32, Lee teaches A system for authenticating users in a communication network (see abstract: “The CPE device may provide the identity token to a network element of the service provider network, and the service provider network may authenticate the identity of the CPE device using the identity token provided”), the system comprising: 
a token generator comprising one or more circuits, wherein the token generator is configured to generate an identification token (see [0002]: “the customer premises equipment (CPE)”. And see [0036] and Fig. 3: “Each of the customer premises 304a-c, in this example, includes a respective CPE device 318a, 318b, or 318c (318 generally and 318a-c collectively) at which a user accesses the service provider network 302. … CPE devices include computing devices such as personal computers (PCs), desktop computing devices, laptop computing devices, tablet computing devices, palmtop computing devices, cellular telephones (e.g., smartphones and feature phones)”. And see [0042] and Fig. 3: “a CPE device itself may additionally or alternatively generate the identity token based on the network configuration data associated with the CPE device and the interface device. In these example implementations, the CPE device may transmit the identity token generated to the identity server for storage”. The Examiner interprets the CPE device 318a, 318b and 318c generating the identity token as a token generator) 
the identification token is associated with a time stamp indicating when a network address is used by the user terminal (see [0042] and Fig. 3: “The identity token 338 also encodes MAC address 336b assigned to and the IP address 334b provisioned for the CPE device 318b”. And see [0036] and Fig. 3: “Each of the customer premises 304a-c, in this example, includes a respective CPE device 318a, 318b, or 318c (318 generally and 318a-c collectively) at which a user accesses the service provider network 302. … CPE devices include computing devices such as personal computers (PCs), desktop computing devices, laptop computing devices, tablet computing devices, palmtop computing devices, cellular telephones (e.g., smartphones and feature phones)”. The Examiner interprets the customer premises equipment (CPE) device 318b as the user terminal. The Examiner further interprets “the IP address 334b provisioned for the CPE device 318b” as a network address … used by the user terminal. And see [0043]: “The identity token may also encode a timestamp that indicates an expiration date of the identity token”. And see [0044] and Fig. 3: “the identity server 310 may generate an identity token by hashing each of the values it encodes. In other words, an identity token may be, for example, a hash of a CPE IP address, CPE MAC address, cable modem IP address, cable modem MAC address, unique identifier, and timestamp”. And see [0056] and Fig. 4: “The identity token 430, in this example, encodes an identifier 432 (e.g., a username, a user account number, a mailing address, etc.), a timestamp 434 that indicates whether the identity token has expired, a MAC address 436 for an interface device (e.g., a cable modem), an IP address 438 for the interface device, a MAC address 440 for a CPE device, and an IP address 442 for the CPE device”. And see [0060] and Fig. 6: “Since the DHCP server 604 dynamically provisions an IP address to the CPE device 606, the identity server 608 may include old network configuration data previously associated with the CPE device. Accordingly upon receipt of new network configuration data from the DHCP server 604, the identity server 608 may be configured to delete the old network configuration data and any corresponding identity token associated with the CPE device 606 when updating the new network configuration data received from the DHCP server and generating a new identity token”. The Examiner interprets the timestamp indicating an expiration date of the identity token due to dynamic provisioning of an IP address to the CPE device as a time stamp indicating when a network address is used by the user terminal); and 
generating the identification token (see [0042] and Fig. 3: “a CPE device itself may additionally or alternatively generate the identity token based on the network configuration data associated with the CPE device and the interface device”) 
a network processing unit comprising one or more circuits (see [0062] and Fig. 6: “The identity server 608 retrieves from the mapping the network configuration data associated with the source IP address and compares the retrieved network configuration data to the network configuration data encoded in the identity token received from the CPE device 606 in order to authenticate the CPE device”. The Examiner interprets the identity server 608 as a network processing unit), wherein the network processing unit is configured to: 
obtain user authentication information associated with the network address and the time stamp (see [0061] and Fig. 6: “If the CPE device 606 does respond with the identity token, however, then the network element 610 submits an AuthN response to the AuthN server 612 with the identity token received and the source IP address of the CPE device. The AuthN server 612, in turn, submits an AuthN request to the identity server 608 requesting validation of the identity token received from the CPE device 606”. And see [0062] and Fig. 6: “The identity server 608 retrieves from the mapping the network configuration data associated with the source IP address and compares the retrieved network configuration data to the network configuration data encoded in the identity token received from the CPE device 606 in order to authenticate the CPE device. As noted above, the identity server 608 may be configured to compare respective hashes of the network configuration data to determine whether the received identity token matches a stored identity token”. The Examiner interprets “the network configuration data associated with the source IP address” retrieved by the identity server 608 and compared with the network configuration data encoded in the identity token in order to authenticate the CPE device as user authentication information associated with the network address and the time stamp); and 
(see [0062] and Fig. 6: “The identity server 608 retrieves from the mapping the network configuration data associated with the source IP address and compares the retrieved network configuration data to the network configuration data encoded in the identity token received from the CPE device 606 in order to authenticate the CPE device”).

Lee fails to teach that the token generator is configured to generate an identification token in response to a user terminal loading a web page (emphasis added). Lee also fails to teach that generating the identification token is triggered in response to a request from the user terminal to load the web page(emphasis added).
However, Chen teaches wherein the token generator is configured to generate an identification token in response to a user terminal loading a web page (see [0019]: “when a user (i.e., the sharer) visits a web page (e.g., “m.huffpost.com/us/entry/123456”), a token may be generated”. The Examiner interprets a user visiting a web page as a user terminal loading a web page);
generating the identification token is triggered in response to a request from the user terminal to load the web page (see [0019]: “when a user (i.e., the sharer) visits a web page (e.g., “m.huffpost.com/us/entry/123456”), a token may be generated, and the method may involve storing all desired information associated with the user and the page to a database, using the token as key and all the other fields as values. For example, the token “abcde” may be generated and stored as a record to the database as: “abcde”->(path: “m.huffpost.com/us/entry/123456”, userinfo: { . . . }). The user may then be silently redirected to the token-based URL (example: “m.huffpost.com/abcde”). This can be done using a server side “302” redirect, or links can be prepared and embedded in a web page before they are even shown to user”).

Both Lee and Chen teaches generating a token where the token is associated with a user. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Lee by letting the generation of the identification token be triggered in response to a request from the user terminal to load the web page, as taught by Chen. It would have been obvious because Chen teaches doing so generates a token-based URL and achieves the following benefit: “Since the token-based URL is indexed or otherwise associated with prior user, timing, demographics, etc. the token-based URL may be considered the “tracking URL” or “tracking address” that enables further analysis and understanding of user sharing behavior” (see Chen [0019]). 
When such a modification is made, Lee modified in view of Chen would teach a token generator comprising one or more circuits, wherein the token generator is configured to generate an identification token in response to a user terminal loading a web page, and wherein: 
generating the identification token is triggered in response to a request from the user terminal to load the web page, as recited by claims 21 and 32.

Lee modified in view of Chen fails to teach that the network processing unit is configured to: send the user authentication information to one or both of the user terminal and a network element configured to provide the web page for authenticating the user of the communication network (emphasis added).
In the same field of endeavor, Sampath teaches a network processing unit configured to: send the user authentication information to one or both of the user terminal and a network element configured to provide the web page for authenticating the user of the communication network (see col. 4, lines 11-20: “the server computer receives a request in the form of a data packet from the user computer, whereupon the server computer causes a first web page image to be displayed on the user computer via a browser program running on the user computer. If the user inputs identification and a secure password in the first web page and transmits the first web page to the server computer, the server computer authenticates the user information and opens a secure connection with the user computer”. The Examiner interprets “the user computer” as a network processing unit. The Examiner further interprets “the server computer”, “whereupon the server computer causes a first web page image to be displayed on the user computer via a browser program running on the user computer”, as “a network element configured to provide the web page”. The Examiner interprets “identification and a secure password” as the user authentication information. The Examiner further interprets the user computer sending identification and a secure password to the server computer and the server computer authenticating the user information as a network processing unit configured to: send the user authentication information to … a network element configured to provide the web page for authenticating the user of the communication network).

Both Sampath and Lee modified in view of Chen teach “authenticating the user of the communication network”. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Lee modified in view of Chen by authenticating the user of the communication network through sending the user authentication information to one or both of the user terminal and a network element configured to provide the web page, as taught by Sampath. It would have been obvious because doing so predictably achieves the commonly understood benefit of authenticating the user of the communication network.

Regarding claims 23 and 34, Lee further teaches wherein the network element is configured to, in response to receiving the request from the user terminal to load the web page, identify the network address (see [0061] and Fig. 6: “if the CPE device 606 submits an access request to the network element 610, and if the network element does not recognize the source IP address of the CPE device, then the network element challenges the CPE device to provide the identity token it received when provisioned with network configuration data via the authenticated interface device 602”. Lee inherently teaches wherein the network element configured to provide the web page (the network element 610) is configured to, in response to receiving the request from the user terminal to load the web page, identify the network address because the network element 610 cannot determine whether it recognizes the source IP address of the CPE device (the network address) without first identifying the source IP address of the CPE device (the network address))
Lee fails to teach wherein the network element is configured to, in response to receiving the request from the user terminal to load the web page, identify the network address before triggering generating the identification token (emphasis added).
As explained in the rejection of claims 21 and 32, before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Lee by letting the generation of the identification token be triggered in response to a request from the user terminal to load the web page, as taught by Chen. When such a modification is made, Lee modified in view of Chen would teach wherein the network element is configured to, in response to receiving the request from the user terminal to load the web page, identify the network address before triggering generating the identification token, as recited in claims 23 and 34.

Regarding claim 27, Lee further teaches wherein the user authentication information comprises at least one of the following: name of the user, physical address of the user, email address of the user, secondary phone number of the user, user terminal identifier, birthday of the user, preferred payment method of the user and payment card details of the user (see [0057]: “Referring now to FIG. 5, an example of an implementation of a mapping 500 between network configuration data and user account information is shown. The mapping 500, in this example, is a table wherein each row represents one instance of a mapping between information associated with a user account and network configuration data associated with and provisioned for devices deployed at a customer premise that is associated with that user account. The columns of the table thus correspond to the date fields of the mapping 500, and the values stored at those columns in each row thus correspond to the data items of the data fields. The mapping 500, in this example, includes the following data fields: an account number 502, a name 504 of an individual associated with the account (e.g., first and last name); a mailing address 506 of the customer premise at which an interface device (e.g., a cable modem) associated with the account are deployed”. And see [0041], [0043] and [0049]).

Regarding claims 28 and 38, Lee further teaches wherein the network processing unit is configured to access a database of the communication network to obtain the user authentication information (see [0062] and Fig. 6: “The identity server 608 retrieves from the mapping the network configuration data associated with the source IP address and compares the retrieved network configuration data to the network configuration data encoded in the identity token received from the CPE device 606 in order to authenticate the CPE device”. And see [0041] and Figs. 3, 5: “The mapping 312 may be, for example, a table of a database where the columns of the table correspond to user account data elements (e.g., user account number, mailing address, first and last customer name, etc.) and network configuration data elements (e.g., IP and MAC addresses for the interface and CPE devices)”).

Regarding claim 29, Lee further teaches wherein the database comprises a table of network addresses, with each network address linked to a particular network user (see [0057] and Fig. 5: “The mapping 500, in this example, includes the following data fields: an account number 502, a name 504 of an individual associated with the account (e.g., first and last name);… and network configuration data associated with and provisioned for the devices deployed at the customer premises. As described above, the network configuration data stored in the mapping 500, in this example, includes a MAC address 512 for an interface device (e.g., a cable modem) deployed at the customer premise, an IP address 514 provisioned for the interface device deployed at the customer premise, a MAC address 516 for a CPE device deployed at the customer premise, and an IP address 518 provisioned for the CPE device”) and to a time stamp (see [0043]: “The identity token may also encode a timestamp that indicates an expiration date of the identity token”. And see [0044] and Fig. 3: “the identity server 310 may generate an identity token by hashing each of the values it encodes. In other words, an identity token may be, for example, a hash of a CPE IP address, CPE MAC address, cable modem IP address, cable modem MAC address, unique identifier, and timestamp”).

Regarding claim 39, Lee further teaches wherein the network element (see [0061] and Fig. 6: “if the CPE device 606 submits an access request to the network element 610”. And see [0053] and Fig. 4: “the network element 424 may be, for example, a web server”. The Examiner interprets the network element 424/610, which may be a web server, as “a network element configured to provide the web page”) is configured to, before the network processing unit (The Examiner interprets the identity server 608 as the network processing unit, see Fig. 6) receives the identification token: receive the identification token from the token generator (see [0002]: “the customer premises equipment (CPE)”. And see [0042] and Fig. 3: “a CPE device itself may additionally or alternatively generate the identity token based on the network configuration data associated with the CPE device and the interface device”. The Examiner interprets the CPE device 606 generating the identity token as the token generator); and send a request comprising the identification token to the network processing unit (see [0061] and Fig. 6: “If the CPE device 606 does respond with the identity token, however, then the network element 610 submits an AuthN response to the AuthN server 612 with the identity token received and the source IP address of the CPE device. The AuthN server 612, in turn, submits an AuthN request to the identity server 608 requesting validation of the identity token received from the CPE device 606”. The Examiner interprets the network element 610 (the network element) receiving the identity token from the CPE device 606 (the token generator) and sending a request comprising the identification token to the identity server 608 (the network processing unit) as wherein the network element is configured to, before the network processing unit receives the identification token: receive the identification token from the token generator; and send a request comprising the identification token to the network processing unit).

Claims 22, 26, 33 and 37 are rejected under 35 U.S.C. 103 as being unpatentable over Lee (US 2017/0078285), further in view of Chen (US 2016/0021201), further in view of Sampath (US 6,266,774), and further in view of Hyland (US 2014/0310792).

Regarding claims 22 and 33, Lee modified in view of Chen and Sampath fails to teach wherein the network element is configured to, in response to receiving the request from the user terminal to load the web page, instruct the user terminal to request the identification token from the token generator.
However, Hyland teaches wherein the network element is configured to, in response to receiving the request from the user terminal to load the web page, instruct the user terminal to request the identification token from the token generator (see [0013] and Fig. 4: “An aspect of the present invention is a method for providing access to mobile web services provided by a third party service provider system using single sign-on credentials that are managed by a client-side computer system. The method begins with the receiving of a request to access third party web services using a mobile device and redirecting the mobile device to the web-identification authentication service at the client-side computer system to authenticate the identity of the user, such as by using his or her SSO credentials. As a result of the redirecting, an authentication token is generated by the client-side computer system”. And see [0049]: “Upon execution of the native application 436, the user may be provided with the user interface of FIG. 6, which depicts an SSO log-in user interface in accordance with an embodiment of the present invention, comprising a client selection tool 604 and Access button 608. The user may select the client corresponding to the client system 400 using client selection tool 604”. And see [0054]-[0056] and Figs. 4, 5A and 7: the mobile device 408 transmits the user's credentials to the ID authentication engine 412 in client system 400 and receives an authentication token in response.  The Examiner interprets the third-party service provider system 404 as the network element. The Examiner further interprets the mobile device 408 as the user terminal. The Examiner interprets the client system 400 providing the authentication token as the token generator.  The Examiner interprets “receiving of a request to access third party web services using a mobile device” as receiving the request from the user terminal to load the web page. The Examiner interprets the message containing the user’s credentials sent from the mobile device 408 to client system 400 as request the identification token because the response to the message contains the token).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Lee modified in view of Chen and Sampath by configuring the network element to, in response to receiving the request from the user terminal to load the web page, instruct the user terminal to request the identification token from the token generator, as taught by Hyland. It would have been obvious because doing so achieves the commonly understood benefit of obtaining the token on demand.

Regarding claims 26 and 37, Lee modified in view of Chen and Sampath fails to teach wherein the network element is configured to, in response to receiving the request from the user terminal to load the web page, issue a redirect command to redirect the user terminal to the token generator to request the identification token.
In the same field of endeavor, Hyland teaches wherein the network element is configured to, in response to receiving the request from the user terminal to load the web page, issue a redirect command to redirect the user terminal to the token generator to request the identification token (see [0013] and Fig. 4: “An aspect of the present invention is a method for providing access to mobile web services provided by a third party service provider system using single sign-on credentials that are managed by a client-side computer system. The method begins with the receiving of a request to access third party web services using a mobile device and redirecting the mobile device to the web-identification authentication service at the client-side computer system to authenticate the identity of the user, such as by using his or her SSO credentials. As a result of the redirecting, an authentication token is generated by the client-side computer system”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Lee modified in view of Chen and Sampath by configuring the network element to, in response to receiving the request from the user terminal to load the web page, issue a redirect command to redirect the user terminal to the token generator to request the identification token, as taught by Hyland. It would have been obvious because Hyland teaches that “using the address returned at 508, the mobile device 408 automatically loads the mobile browser 432 at the mobile device 408, and loads the address within the mobile browser 432. This causes the client's identification authentication web page to be loaded on the mobile browser 432, from which the user may enter his or her SSO credentials” (see Hyland [0054]).


Claims 24, 25, 35 and 36 are rejected under 35 U.S.C. 103 as being unpatentable over Lee (US 2017/0078285), further in view of Chen (US 2016/0021201), further in view of Sampath (US 6,266,774), and further in view of Krapf (US 2017/0041144).

Regarding claims 24 and 35, Lee modified in view of Chen and Sampath fails to teach wherein the network element is configured to, in response to receiving the request from the user terminal to load the web page, enable a script to be executed by the user terminal to request the identification token.
However, Krapf teaches wherein the network element is configured to, in response to receiving the request from the user terminal to load the web page (see [0029]: “As illustrated in FIGS. 2A and 3, CSRF defense method 2000 can be understood as commencing with web browser 260 of client computing device 200 requesting an HTML document 11 from web server 100. See reference numeral 2110 in FIGS. 2A and 3. This can be accomplished using any suitable HTTP request that specifies a network address identifying HTML document 11, such as an HTTP GET request 10 that specifies a particular network URL.”. The Examiner interprets web server 100 as the network element), enable a script to be executed by the user terminal to request the identification token (see [0030] and Fig. 3: “In response to receiving the HTTP GET request 10, web server communication module 150 is configured to send HTML document 11 to client computing device 200. See reference numeral 2120 in FIGS. 2A and 3. The requested HTML document 11 includes an embedded script, such as a JavaScript element 11a, that can later be used to request a CSRF token”. And see [0031] and Fig. 3: “In response to receipt of HTML document 11 at client computing device 200, client web browser 260 is configured to execute JavaScript element 11a, thus transmitting an asynchronous CSRF token request 12 to web server 100”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Lee modified in view of Chen and Sampath by configuring the network element to, in response to receiving the request from the user terminal to load the web page, enable a script to be executed by the user terminal to request the identification token, as taught by Krapf. It would have been obvious because doing so achieves the commonly understood benefit of automatically requesting the token using a script executed by the user terminal.

Regarding claims 25 and 36, Krapf further teaches wherein the user terminal is configured to execute the script, the execution of the script triggering the user terminal to request the identification token from the token generator (see [0031] and Fig. 3: “In response to receipt of HTML document 11 at client computing device 200, client web browser 260 is configured to execute JavaScript element 11a, thus transmitting an asynchronous CSRF token request 12 to web server 100”).

Claim 30 are rejected under 35 U.S.C. 103 as being unpatentable over Lee (US 2017/0078285), further in view of Chen (US 2016/0021201), further in view of Sampath (US 6,266,774), and further in view of Simms (US 9,973,547).

Regarding claim 30, Lee modified in view of Chen and Sampath fails to teach wherein the identification token is associated with a session identifier of a web browsing session of the user terminal.
In the same field of endeavor, Simms teaches wherein the identification token is associated with a session identifier of a web browsing session of the user terminal (see col. 9, lines 28-31 and Fig. 4: “upon validating the secure token 118, the server complex 102 can then issue a new token 405 comprising one or more session identification credentials 406”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Lee modified in view of Chen and Sampath by letting the identification token be associated with a session identifier of a web browsing session of the user terminal, as taught by Simms. It would have been obvious because Simms teaches that “the ability to throttle or terminate sessions is a function of business rules based on session type, client device type, client IP address, content type, and/or content name. Such business rules allow client requests to be denied, throttled, killed, or redirected to other servers” (see Simms, col. 12, lines 60-65). In other words, associating a token containing a client IP address with a session identifier of a web browsing session of the client achieves the commonly understood benefit of facilitating throttling or terminating sessions based on a client IP address.
Claims 31 and 41 are rejected under 35 U.S.C. 103 as being unpatentable over Lee (US 2017/0078285), further in view of Chen (US 2016/0021201), further in view of Sampath (US 6,266,774), and further in view of Soghoian (US 2009/0198617).

Regarding claims 31 and 41, Lee modified in view of Chen and Sampath fails to teach wherein the token generator is configured to encrypt the identification token before sending it to the network processing unit (see abstract: “A computer implemented method for enabling a third party by a user to execute a transaction on behalf of the user, said method comprising: generating a token based on at least an account identifier identifying an account of said user, a secret authorization identifier known only by the user and said bank and corresponding to said account of said user, and a transaction definition defining the type of transaction to be performed; encrypting said token by an encryption method to generate an encrypted token, said encryption method being predefined such that it is known by said bank and can either be performed inversely or can be repeated by said bank; transferring said encrypted token from said user to said user to said third party to thereby authorize said third party to define the transaction as defined in said transaction definition on behalf of the account of said user specified in said token”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Lee modified in view of Chen and Sampath by taught by configuring the token generator to encrypt the identification token before sending it to the network processing unit, as taught by Soghoian. It would have been obvious because doing so achieves the commonly understood benefit of ensuring the confidentiality of the identification token during transit of the token.


Claim 40 is rejected under 35 U.S.C. 103 as being unpatentable over Lee (US 2017/0078285), further in view of Chen (US 2016/0021201), further in view of Sampath (US 6,266,774), and further in view of Pardo-Blazquez (WO 2010/066295).

Regarding claim 40, Lee modified in view of Chen and Sampath fails to teach a network address translator unit, and wherein the network element is configured to receive the identification token directly from the token generator via the network address translator unit.
However, Pardo-Blazquez teaches a network address translator unit, and wherein the network element is configured to receive the identification token directly from the token generator via the network address translator unit (see page 14, lines 27-33 and Fig. 12: “Figure 12 illustrates schematically an AG 200 which comprises a receiver 201 for receiving a general bearer request from a user equipment (UE) to establish an IP session. A token handling unit 202 is configured to receive (from the PS) or generate a token that is uniquely associated with said IP session. The AG further comprises a sender 203 for sending an accounting start message to the DPI via a network address translator, the message including said token”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Lee modified in view of Chen and Sampath by including in the system a network address translator unit, wherein the network element is configured to receive the identification token directly from the token generator via the network address translator unit, as taught by Pardo-Blazquez. It would have been obvious because the network address translator unit provides security and privacy.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZHIMEI ZHU/Examiner, Art Unit 2495