Slashdot Mirror

← Back to Stories (view on slashdot.org)

Amazon Awarded Cookie Patent

Posted by timothy on from the making-unfriendly-behavior-rational dept.

theodp writes "On Tuesday, the USPTO granted Amazon.com a patent for the Use of browser cookies to store structured data, which covers the storing of data structures and non-character data within browser cookies. In a February SEC filing (pdf), Amazon reiterated that they expect that they may license certain patents to third parties in the future."

4 of 79 comments (clear)

  1. Re:CSV, etc? by Fweeky · · Score: 2, Informative

    Even php's serialize() (also available for Ruby<plug>) does that; but this patent also talks about checksums, encryption, and back/forward compatability, so.. say.. like XML + schema + crypto of your choice.

    TBH you can put anything you like in a cookie, binary or not; you just base64 encode it or so. After that, well, people have been making file formats like this for years, and Amazon get a patent just for putting one in a cookie? Lame.

  2. I did this too by samjam · · Score: 2, Informative

    The second revision of the second generation of Ananova email alerts (anyone remember this?) had two such encrypted addresses, the From address and the Reply-To address, which included an encrypted checksummed version of the customers address-id and the story-id of the message that was sent.

    This was so that we could tell in bounced OR replied messages which customer sent the message and for which story, and it would loosely authenticate the user for performing "safe" operations on their email alert account.

    Around the same time we started using cookies to store the number of times users visited each section of the Ananova website for the last 7 days in which they visited the site at all. This was to give us a vague idea of where their interests lay but we never used this data, and it wasn't checksummed, but it was binary packed and then based 62 encoded (couldn't find 64 characters ALL of which would not be url encoded, wasting cookie space)

    Plenty of other web based projects use encrypted password tokens to show a user has authenticated without having to store or repeatedy transmit the password in replay-able form over the web.

    Sam

    --
    blog.sam.liddicott.com
  3. Re:So by greppling · · Score: 4, Informative
    If you do it without encryption or without a checksum then you're probably not infringing. Same if you avoid binary encoding.

    That's not how I read the claims. The basic claims are 1, 10, 18, 26, 35, 40. Adding encryption or checksums to storing the data structures as cookies are covered by separate claims, always listed in addition to the basic claims.

    The whole point of this patent is IMO what they call "schema data". By this they mean having a separate file that describes the data structure used in the cookies, so that the way the data structures can be changed without changing the code en/de-crypting the cookie. (Claim 1.) Unless someone is using such a metafile describing the data structure, and has written a generic cookie parser that is controlled by this metafile, I am pretty sure he will not be infringing the patent. This is, of course, not revolutionary, but it's definitely much better software design than the typical PHP/MySQL web site.

    Adding versioning of the data structures is claim 7. Claim 26 is then about using this data to generate personalized web pages from the cookie data without any database lookups.

    So, IMHO this patent isn't that silly. You most likely don't have to "work around" it just because you are storing some structured user data in cookies, it is to the contrary very unlikely that you are infringing it. Definitely, all posts here have missed the "schema data" aspect so far. Maybe there is prior art for this, but if there is, noone has pointed out any so far.

    I think the only good reason to be against this patent is to be against software patents in general. Which I am, btw:)

  4. Prior Art by kerfuffle · · Score: 2, Informative
    The main ingredients of this "patent" seem to be using a cookie for structured data to avoid DB overhead, with the inclusion of some internal "checksum/session" keys.

    The HSBC Australia online trading platform publicly launched in Nov 1999 and implemented in Python, used cookies to pass serialised Python structures between client and server to avoid needless per request DB lookups (and to allow simple horizontal scaling, since instead of requiring a "session DB" one only required HTTP servers capable of decrypting the cookie data, i.e. the requests could go to any server). The serialised Python structures were strongly encrypted and contained internal session key info which was used to provide an additional check on the data consistency. This would appear to match exactly what this patent claims to be novel (it seemed pretty intuitive at the time). The system is still live, and the codebase is largely untouched. I would expect that a large amount of internal documentation exists on the history of this project (including at least one presentation to an Open Source conference).