Client Token Storage for Cross-Site Request Forgery Protection
First Claim
1. A computer-implemented method for securing against cross-site request forgery, the method comprising:
- initiating, using one or more computing devices, an action associated with a first web service;
generating, using the one or more computing devices, an electronic token;
storing a first copy of the electronic token, at the computing device, as a stored token within a client storage implementing an access policy;
generating, using the one or more computing devices, a return link associated with a passed token copy of the electronic token, wherein the return link is associated with the first web service;
redirecting browsing, using the one or more computing devices, to a second web service while providing the return link and the associated passed token copy;
completing, using the one or more computing devices, an operation associated with the second web service;
returning, using the one or more computing devices, to the first web service according to the provided return link;
extracting, using the one or more computing devices, the passed token copy from the return link;
reading, using the one or more computing devices, the stored token from the client storage;
determining, using the one or more computing devices, that the passed token copy matches the stored token; and
performing, using the one or more computing devices, the action in response to determining that the passed token copy matches the stored token.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods can secure against cross-site request forgery using client-side token storage. A client browser can initiate an action associated with a first web service and generate a token. The token may be stored in client-side storage at the computing device. An indicator of the action may also be stored within the client-side storage. A return link, associated with a passed copy of the token, may be generated. The client may perform the redirect and return to the first web service according to the return link. The passed copy of the token can be extracted from the return link. The indicator of the action and the stored token may be loaded from the client storage. The passed copy of the token and the stored token may be compared. The action according to the indicator of the action may be performed in response to the comparison matching.
-
Citations
21 Claims
-
1. A computer-implemented method for securing against cross-site request forgery, the method comprising:
-
initiating, using one or more computing devices, an action associated with a first web service; generating, using the one or more computing devices, an electronic token; storing a first copy of the electronic token, at the computing device, as a stored token within a client storage implementing an access policy; generating, using the one or more computing devices, a return link associated with a passed token copy of the electronic token, wherein the return link is associated with the first web service; redirecting browsing, using the one or more computing devices, to a second web service while providing the return link and the associated passed token copy; completing, using the one or more computing devices, an operation associated with the second web service; returning, using the one or more computing devices, to the first web service according to the provided return link; extracting, using the one or more computing devices, the passed token copy from the return link; reading, using the one or more computing devices, the stored token from the client storage; determining, using the one or more computing devices, that the passed token copy matches the stored token; and performing, using the one or more computing devices, the action in response to determining that the passed token copy matches the stored token. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system, comprising:
-
a user computing device associated with a browser; and one or more computing devices associated with a first web service, where in the user computing device is configured to; receive initiation of an action associated with the first web service; generate a token; store a first copy of the token as a stored token within a client storage implementing an access policy; generate a return link associated with a passed copy of the token, wherein the return link is associated with the first web service; redirect browsing to a second web service while providing the return link and associated passed copy of the token; complete an operation associated with the second web service; return to the first web service according to the provided return link; extract the passed copy of the token from the return link; read the stored token from the client storage; determine that the passed copy of the token matches the stored token; and perform the action in response to determining that the passed copy of the token matches the stored token. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer program product, comprising:
-
a non-transitory computer-readable medium having computer-readable program code embodied therein that, when executed by one or more computing devices, perform a method comprising; initiating, on the one or more computing devices, an action associated with a first web service; generating, on the one or more computing devices, a token; storing a first copy of the token, at the one or more computing devices, as a stored token within a client storage implementing an access policy; generating, on the one or more computing devices, a return link associated with a passed copy of the token, wherein the return link is associated with the first web service; redirecting browsing, on the one or more computing devices, to a second web service while providing the return link and associated passed copy of the token; completing, on the one or more computing devices, an operation associated with the second web service; returning, on the one or more computing devices, to the first web service according to the provided return link; extracting, on the one or more computing devices, the passed copy of the token from the return link; reading, on the one or more computing devices, the stored token from the client storage; determining, on the one or more computing devices, that the passed copy of the token matches the stored token; and performing, on the one or more computing devices, the action in response to determining that the passed copy of the token matches the stored token. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification