Stateless prevention of login-based cross-site request forgery
First Claim
1. A system for stateless prevention of login-based cross-site request forgery, the apparatus comprising:
- one or more processors; and
a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors to;
receive, by a web application, a request for a login page associated with a web site;
send, by the web application via a domain name, a response comprising the login page and a request header of the login page, the request header of the login page including a first function field having a first token and a second function field having a second token, the first function field being modifiable only via a related domain name that is related to the domain name;
receive, by the web application, a request to login to the web site from a requesting client, wherein the request to login comprises a request header that comprises the first and second function fields;
determine, by the web application, whether the first function field in the request header comprises a token that is a specific function of a token in the second function field in the request header; and
establish, by the web application, a session with the requesting client in response to a determination that the first function field in the request header comprises the token which is the specific function of the token in the second function field in the request header.
1 Assignment
0 Petitions
Accused Products
Abstract
A web application receives a request for a web site'"'"'s login page. The web application sends, via a domain name, a response including the login page, a first token in a first field in the login page'"'"'s header, and a second token in a second field in the login page'"'"'s header, wherein the first field is modifiable only via a related domain name which is related to the domain name, and wherein the first token is a function of the second token. The web application receives a request to login to the site from a client, wherein the request to login includes a header that includes the first field and the second field. The web application establishes a session with the client if the first field in the header includes a token which is the function of a token in the second field in the header.
-
Citations
20 Claims
-
1. A system for stateless prevention of login-based cross-site request forgery, the apparatus comprising:
-
one or more processors; and a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors to; receive, by a web application, a request for a login page associated with a web site; send, by the web application via a domain name, a response comprising the login page and a request header of the login page, the request header of the login page including a first function field having a first token and a second function field having a second token, the first function field being modifiable only via a related domain name that is related to the domain name; receive, by the web application, a request to login to the web site from a requesting client, wherein the request to login comprises a request header that comprises the first and second function fields; determine, by the web application, whether the first function field in the request header comprises a token that is a specific function of a token in the second function field in the request header; and establish, by the web application, a session with the requesting client in response to a determination that the first function field in the request header comprises the token which is the specific function of the token in the second function field in the request header. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product comprising computer-readable program code to be executed by one or more processors when retrieved from a non-transitory computer-readable medium, the program code including instructions to:
-
receive, by a web application, a request for a login page associated with a web site; send, by the web application via a domain name, a response comprising the login page and a request header of the login page, the request header of the login page including a first function field having a first token and a second function field having a second token, the first function field being modifiable only via a related domain name that is related to the domain name; receive, by the web application, a request to login to the web site from a requesting client, wherein the request to login comprises a request header that comprises the first and second function fields; determine, by the web application, whether the first function field in the request header comprises a token that is a specific function of a token in the second function field in the request header; and establish, by the web application, a session with the requesting client in response to a determination that the first function field in the request header comprises the token which is the specific function of the token in the second function field in the request header. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method for stateless prevention of login-based cross-site request forgery, the method comprising:
-
receiving, by a web application, a request for a login page associated with a web site; sending, by the web application via a domain name, a response comprising the login page and a request header of the login page, the request header of the login page including a first function field having a first token and a second function field having a second token, the first function field being modifiable only via a related domain name that is related to the domain name; receiving, by the web application, request to login to the web site from a requesting client, wherein the request to login comprises a request header that comprises the first and second function fields; determining, by the web application, whether the first function field in the request header comprises a token that is a specific function of a token in the second function field in the request header; and establishing, by the web application, a session with the requesting client in response to a determination that the first function field in the request header comprises the token which is the specific function of the token in the second function field in the request header. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification