Client Token Storage for Cross-Site Request Forgery Protection

US 20140137248A1
Filed: 11/14/2012
Published: 05/15/2014
Est. Priority Date: 11/14/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for securing against cross-site request forgery, the method comprising:

initiating, using one or more computing devices, an action associated with a first web service;

generating, using the one or more computing devices, an electronic token;

storing a first copy of the electronic token, at the computing device, as a stored token within a client storage implementing an access policy;

generating, using the one or more computing devices, a return link associated with a passed token copy of the electronic token, wherein the return link is associated with the first web service;

redirecting browsing, using the one or more computing devices, to a second web service while providing the return link and the associated passed token copy;

completing, using the one or more computing devices, an operation associated with the second web service;

returning, using the one or more computing devices, to the first web service according to the provided return link;

extracting, using the one or more computing devices, the passed token copy from the return link;

reading, using the one or more computing devices, the stored token from the client storage;

determining, using the one or more computing devices, that the passed token copy matches the stored token; and

performing, using the one or more computing devices, the action in response to determining that the passed token copy matches the stored token.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods can secure against cross-site request forgery using client-side token storage. A client browser can initiate an action associated with a first web service and generate a token. The token may be stored in client-side storage at the computing device. An indicator of the action may also be stored within the client-side storage. A return link, associated with a passed copy of the token, may be generated. The client may perform the redirect and return to the first web service according to the return link. The passed copy of the token can be extracted from the return link. The indicator of the action and the stored token may be loaded from the client storage. The passed copy of the token and the stored token may be compared. The action according to the indicator of the action may be performed in response to the comparison matching.

26 Citations

View as Search Results

21 Claims

1. A computer-implemented method for securing against cross-site request forgery, the method comprising:
- initiating, using one or more computing devices, an action associated with a first web service;
  
  generating, using the one or more computing devices, an electronic token;
  
  storing a first copy of the electronic token, at the computing device, as a stored token within a client storage implementing an access policy;
  
  generating, using the one or more computing devices, a return link associated with a passed token copy of the electronic token, wherein the return link is associated with the first web service;
  
  redirecting browsing, using the one or more computing devices, to a second web service while providing the return link and the associated passed token copy;
  
  completing, using the one or more computing devices, an operation associated with the second web service;
  
  returning, using the one or more computing devices, to the first web service according to the provided return link;
  
  extracting, using the one or more computing devices, the passed token copy from the return link;
  
  reading, using the one or more computing devices, the stored token from the client storage;
  
  determining, using the one or more computing devices, that the passed token copy matches the stored token; and
  
  performing, using the one or more computing devices, the action in response to determining that the passed token copy matches the stored token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein the client storage is a session storage associated with a web browser.
  - 3. The computer-implemented method of claim 1, further comprising storing an indicator of the action within the client storage prior to redirecting browsing, reading the indicator of the action from the client storage after returning to the first web service according to the provided return link, and wherein performing the action comprises performance according to the read indicator of the action.
  - 4. The computer-implemented method of claim 1, wherein the second web service is a login authentication service.
  - 5. The computer-implemented method of claim 1, wherein the access policy limits access to information stored within the client storage to the same Internet domain.
  - 6. The computer-implemented method of claim 1, wherein the access policy limits access to information stored within the client storage to the same web site that originally stored the information.
  - 7. The computer-implemented method of claim 1, wherein the electronic token comprises one of a random number, pseudorandom number, user identifier, and time stamp.
  - 8. The computer-implemented method of claim 1, wherein the passed token copy comprises a duplicate of the electronic token to be verified after passing along through the redirected browsing.

9. A system, comprising:
- a user computing device associated with a browser; and
  
  one or more computing devices associated with a first web service,where in the user computing device is configured to;
  
  receive initiation of an action associated with the first web service;
  
  generate a token;
  
  store a first copy of the token as a stored token within a client storage implementing an access policy;
  
  generate a return link associated with a passed copy of the token, wherein the return link is associated with the first web service;
  
  redirect browsing to a second web service while providing the return link and associated passed copy of the token;
  
  complete an operation associated with the second web service;
  
  return to the first web service according to the provided return link;
  
  extract the passed copy of the token from the return link;
  
  read the stored token from the client storage;
  
  determine that the passed copy of the token matches the stored token; and
  
  perform the action in response to determining that the passed copy of the token matches the stored token.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein the client storage is a session storage associated with the web browser.
  - 11. The system of claim 9, wherein the user computing device is further configured to store an indicator of the action within the client storage prior to redirecting browsing, read the indicator of the action from the client storage after returning to the first web service according to the provided return link, and wherein performing the action comprises performance according to the read indicator of the action.
  - 12. The system of claim 9, wherein the second web service is one of a login authentication service and a payment service.
  - 13. The system of claim 9, wherein the access policy limits access to information stored within the client storage to the same Internet domain.
  - 14. The system of claim 9, wherein the access policy limits access to information stored within the client storage to the same web site that originally stored the information.
  - 15. The system of claim 9, wherein the token comprises one of a random number, pseudorandom number, user identifier, and time stamp.

16. A computer program product, comprising:
- a non-transitory computer-readable medium having computer-readable program code embodied therein that, when executed by one or more computing devices, perform a method comprising;
  
  initiating, on the one or more computing devices, an action associated with a first web service;
  
  generating, on the one or more computing devices, a token;
  
  storing a first copy of the token, at the one or more computing devices, as a stored token within a client storage implementing an access policy;
  
  generating, on the one or more computing devices, a return link associated with a passed copy of the token, wherein the return link is associated with the first web service;
  
  redirecting browsing, on the one or more computing devices, to a second web service while providing the return link and associated passed copy of the token;
  
  completing, on the one or more computing devices, an operation associated with the second web service;
  
  returning, on the one or more computing devices, to the first web service according to the provided return link;
  
  extracting, on the one or more computing devices, the passed copy of the token from the return link;
  
  reading, on the one or more computing devices, the stored token from the client storage;
  
  determining, on the one or more computing devices, that the passed copy of the token matches the stored token; and
  
  performing, on the one or more computing devices, the action in response to determining that the passed copy of the token matches the stored token.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The computer program product of claim 16, wherein the client storage is a session storage associated with the web browser.
  - 18. The computer program product of claim 16, wherein the method further comprises storing an indicator of the action within the client storage prior to redirecting browsing, reading the indicator of the action from the client storage after returning to the first web service according to the provided return link, and wherein performing the action comprises performance according to the read indicator of the action.
  - 19. The computer program product of claim 16, wherein the second web service is one of a login authentication service and a payment service.
  - 20. The computer program product of claim 16, wherein the access policy limits access to information stored within the client storage to the same web site that originally stored the information.
  - 21. The computer program product of claim 16, wherein the token comprises one of a random number, pseudorandom number, user identifier, and time stamp.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Gajda, Damian, Shirriff, Kenneth William

Granted Patent

US 9,104,838 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 16/24   Querying

G06F 21/00   Security arrangements for p...

G06F 21/445   by mutual authentication, e...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/12   Applying verification of th...

H04L 63/14   for detecting or protecting...

H04L 63/1441   Countermeasures against mal...

Client Token Storage for Cross-Site Request Forgery Protection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Client Token Storage for Cross-Site Request Forgery Protection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links