Stateless prevention of login-based cross-site request forgery

US 10,178,125 B2
Filed: 05/03/2016
Issued: 01/08/2019
Est. Priority Date: 05/03/2016
Status: Active Grant

First Claim

Patent Images

1. A system for stateless prevention of login-based cross-site request forgery, the apparatus comprising:

one or more processors; and

a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors to;

receive, by a web application, a request for a login page associated with a web site;

send, by the web application via a domain name, a response comprising the login page and a request header of the login page, the request header of the login page including a first function field having a first token and a second function field having a second token, the first function field being modifiable only via a related domain name that is related to the domain name;

receive, by the web application, a request to login to the web site from a requesting client, wherein the request to login comprises a request header that comprises the first and second function fields;

determine, by the web application, whether the first function field in the request header comprises a token that is a specific function of a token in the second function field in the request header; and

establish, by the web application, a session with the requesting client in response to a determination that the first function field in the request header comprises the token which is the specific function of the token in the second function field in the request header.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A web application receives a request for a web site'"'"'s login page. The web application sends, via a domain name, a response including the login page, a first token in a first field in the login page'"'"'s header, and a second token in a second field in the login page'"'"'s header, wherein the first field is modifiable only via a related domain name which is related to the domain name, and wherein the first token is a function of the second token. The web application receives a request to login to the site from a client, wherein the request to login includes a header that includes the first field and the second field. The web application establishes a session with the client if the first field in the header includes a token which is the function of a token in the second field in the header.

Citations

20 Claims

1. A system for stateless prevention of login-based cross-site request forgery, the apparatus comprising:
- one or more processors; and
  
  a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors to;
  
  receive, by a web application, a request for a login page associated with a web site;
  
  send, by the web application via a domain name, a response comprising the login page and a request header of the login page, the request header of the login page including a first function field having a first token and a second function field having a second token, the first function field being modifiable only via a related domain name that is related to the domain name;
  
  receive, by the web application, a request to login to the web site from a requesting client, wherein the request to login comprises a request header that comprises the first and second function fields;
  
  determine, by the web application, whether the first function field in the request header comprises a token that is a specific function of a token in the second function field in the request header; and
  
  establish, by the web application, a session with the requesting client in response to a determination that the first function field in the request header comprises the token which is the specific function of the token in the second function field in the request header.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein at least one of the first token and the second token is cryptographically random.
  - 3. The system of claim 1, wherein the first function field comprises one of a custom header and a cookie.
  - 4. The system of claim 1, wherein the second function field comprises one of a GET parameter and a cookie.
  - 5. The system of claim 1, wherein the related domain name which is directly related to the domain name comprises only the domain name.
  - 6. The system of claim 1, wherein the specific function is one of an equality function and a hash-based function.
  - 7. The system of claim 1, comprising further instructions, which when executed, cause the one or more processors to deny, by the web application, the session with the requesting client in response to a determination that the first function field in the request header does not comprise the token that is the specific function of the token in the second function field in the request header.

8. A computer program product comprising computer-readable program code to be executed by one or more processors when retrieved from a non-transitory computer-readable medium, the program code including instructions to:
- receive, by a web application, a request for a login page associated with a web site;
  
  send, by the web application via a domain name, a response comprising the login page and a request header of the login page, the request header of the login page including a first function field having a first token and a second function field having a second token, the first function field being modifiable only via a related domain name that is related to the domain name;
  
  receive, by the web application, a request to login to the web site from a requesting client, wherein the request to login comprises a request header that comprises the first and second function fields;
  
  determine, by the web application, whether the first function field in the request header comprises a token that is a specific function of a token in the second function field in the request header; and
  
  establish, by the web application, a session with the requesting client in response to a determination that the first function field in the request header comprises the token which is the specific function of the token in the second function field in the request header.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, wherein at least one of the first token and the second token is cryptographically random.
  - 10. The computer program product of claim 8, wherein the first function field comprises one of a custom header and cookie.
  - 11. The computer program product of claim 8, wherein the second function field comprises one of a GET parameter and a cookie.
  - 12. The computer program product of claim 8, wherein the related domain name which is directly related to the domain name comprises only the domain name.
  - 13. The computer program product of claim 8, wherein the specific function is one of an equality function and a hash-based function.
  - 14. The computer program product of claim 8, wherein the program code comprises further instructions to deny, by the web application, the session with the requesting client in response to a determination that the first function field in the request header does not comprise the token that is the specific function of the token in the second function field in the request header.

15. A method for stateless prevention of login-based cross-site request forgery, the method comprising:
- receiving, by a web application, a request for a login page associated with a web site;
  
  sending, by the web application via a domain name, a response comprising the login page and a request header of the login page, the request header of the login page including a first function field having a first token and a second function field having a second token, the first function field being modifiable only via a related domain name that is related to the domain name;
  
  receiving, by the web application, request to login to the web site from a requesting client, wherein the request to login comprises a request header that comprises the first and second function fields;
  
  determining, by the web application, whether the first function field in the request header comprises a token that is a specific function of a token in the second function field in the request header; and
  
  establishing, by the web application, a session with the requesting client in response to a determination that the first function field in the request header comprises the token which is the specific function of the token in the second function field in the request header.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein at least one of the first token and the second token is cryptographically random.
  - 17. The method of claim 15, wherein the first function field comprises one of a custom header and a cookie, and wherein the second function field comprises one of a GET parameter and the cookie.
  - 18. The method of claim 15, wherein the related domain name which is directly related to the domain name comprises only the domain name.
  - 19. The method of claim 15, wherein the specific function is one of an equality function and a hash-based function.
  - 20. The method of claim 15, wherein the method further comprises denying, by the web application, the session with the requesting client in response to a determination that the first function field in the request header does not comprise the token that is the specific function of the token in the second function field in the request header.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Gopalakrishnan, Amalkrishnan Chemmany
Primary Examiner(s)
Hoffman, Brandon S
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US15/145,484
Publication Number

US 20170324742A1
Time in Patent Office

980 Days
Field of Search

726 9
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/102   Entity profiles

H04L 63/1483   service impersonation, e.g....

H04L 63/168   above the transport layer

Stateless prevention of login-based cross-site request forgery

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Stateless prevention of login-based cross-site request forgery

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links