Client token storage for cross-site request forgery protection

US 9,104,838 B2
Filed: 11/14/2012
Issued: 08/11/2015
Est. Priority Date: 11/14/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for securing against cross-site request forgery, the method comprising:

initiating, by a web browser of a client computing device, an action directed to a first web service;

generating, by the client computing device, an electronic token for the action;

redirecting browsing, by the client computing device, to a second web service while providing a passed token copy to the second web service;

receiving, from the second web service by the client computing device, the passed token copy upon completing, by the client computing device, an operation associated with the second web service;

determining, by the client computing device, that the received passed token copy matches the generated token; and

performing, by the client computing device, the action in response to determining that the received passed token copy matches the stored token.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods can secure against cross-site request forgery using client-side token storage. A client browser can initiate an action associated with a first web service and generate a token. The token may be stored in client-side storage at the computing device. An indicator of the action may also be stored within the client-side storage. A return link, associated with a passed copy of the token, may be generated. The client may perform the redirect and return to the first web service according to the return link. The passed copy of the token can be extracted from the return link. The indicator of the action and the stored token may be loaded from the client storage. The passed copy of the token and the stored token may be compared. The action according to the indicator of the action may be performed in response to the comparison matching.

67 Citations

View as Search Results

21 Claims

1. A computer-implemented method for securing against cross-site request forgery, the method comprising:
- initiating, by a web browser of a client computing device, an action directed to a first web service;
  
  generating, by the client computing device, an electronic token for the action;
  
  redirecting browsing, by the client computing device, to a second web service while providing a passed token copy to the second web service;
  
  receiving, from the second web service by the client computing device, the passed token copy upon completing, by the client computing device, an operation associated with the second web service;
  
  determining, by the client computing device, that the received passed token copy matches the generated token; and
  
  performing, by the client computing device, the action in response to determining that the received passed token copy matches the stored token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1:
    - wherein the generated token is stored in session storage associated with the web browser;
      
      further comprising generating, by the client computing device, a return link associated with a passed token copy of the electronic token, wherein the return link is associated with the first web service; and
      
      wherein performing the action in response to determining that the passed token copy matches the stored token comprises performing a script initiated by the return link.
  - 3. The computer-implemented method of claim 2, further comprising storing an indicator of the action within the session storage prior to redirecting browsing, reading the indicator of the action from the session storage after returning to the first web service according to the provided return link, and wherein performing the action comprises performance according to the read indicator of the action.
  - 4. The computer-implemented method of claim 1, wherein the second web service is a login authentication service.
  - 5. The computer-implemented method of claim 1, wherein an access policy limits access to information stored within the session storage to the same Internet domain.
  - 6. The computer-implemented method of claim 1, wherein an access policy limits access to information stored within the session storage to the same web site that originally stored the information.
  - 7. The computer-implemented method of claim 1, wherein the electronic token comprises one of a random number, pseudorandom number, user identifier, and time stamp.
  - 8. The computer-implemented method of claim 1, wherein the passed token copy comprises a duplicate of the electronic token to be verified after passing along through the redirected browsing.

9. A system, comprising:
- a user computing device associated with a browser; and
  
  a first web service,where in the user computing device is configured to;
  
  receive, via the browser, initiation of an action directed to the first web service;
  
  generate a token for the initiated action;
  
  redirect browsing to a second web service while providing the passed copy of the token to the second web service;
  
  receive, from the second web service by the user computing device, the passed token copy upon completing an operation associated with the second web service;
  
  determine that the received passed copy of the token matches the generated token; and
  
  perform the action in response to determining that the received passed copy of the token matches the generated token.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9wherein the generated token is stored in session storage associated with the web browser;
    - further comprising generating, using the user computing device, a return link associated with a passed token copy of the electronic token, wherein the return link is associated with the first web service; and
      
      wherein performing the action in response to determining that the passed token copy matches the stored token comprises performing a script initiated by the return link.
  - 11. The system of claim 10, wherein the user computing device is further configured to store an indicator of the action within the session storage prior to redirecting browsing, read the indicator of the action from the session storage after returning to the first web service according to the provided return link, and wherein performing the action comprises performance according to the read indicator of the action.
  - 12. The system of claim 9, wherein the second web service is one of a login authentication service and a payment service.
  - 13. The system of claim 9, wherein the access policy limits access to information stored within the session storage to the same Internet domain.
  - 14. The system of claim 9, wherein the access policy limits access to information stored within the session storage to the same web site that originally stored the information.
  - 15. The system of claim 9, wherein the token comprises one of a random number, pseudorandom number, user identifier, and time stamp.

16. A computer program product, comprising:
- a non-transitory computer-readable medium having computer-readable program code embodied therein that, when executed by a client computing device, performs a method comprising;
  
  initiating, by a browser of the client computing device, an action directed to a first web service;
  
  generating, by the client computing device, a token for the action;
  
  redirecting browsing, by the client computing device, to a second web service while providing the passed copy of the token to the second web service;
  
  receiving, from the second web service by the client computing device, the passed token copy upon completing, by the client computing device, an operation associated with the second web service;
  
  determining, by the client computing device, that the received passed copy of the token matches the generated token; and
  
  performing, by the client computing device, the action in response to determining that the passed copy of the token matches the generated token.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The computer program product of claim 16,wherein the generated token is stored in session storage associated with the web browser;
    - further comprising generating, by the client computing device, a return link associated with a passed token copy of the electronic token, wherein the return link is associated with the first web service; and
      
      wherein performing the action in response to determining that the passed token copy matches the stored token comprises performing a script initiated by the return link.
  - 18. The computer program product of claim 17, wherein the method further comprises storing an indicator of the action within the session storage prior to redirecting browsing, reading the indicator of the action from the session storage after returning to the first web service according to the provided return link, and wherein performing the action comprises performance according to the read indicator of the action.
  - 19. The computer program product of claim 16, wherein the second web service is one of a login authentication service and a payment service.
  - 20. The computer program product of claim 16, wherein the access policy limits access to information stored within the session storage to the same web site that originally stored the information.
  - 21. The computer program product of claim 16, wherein the token comprises one of a random number, pseudorandom number, user identifier, and time stamp.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Gajda, Damian, Shirriff, Kenneth William
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Brown, Demaris

Application Number

US13/677,284
Publication Number

US 20140137248A1
Time in Patent Office

1,000 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/24   Querying

G06F 21/00   Security arrangements for p...

G06F 21/445   by mutual authentication, e...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/12   Applying verification of th...

H04L 63/14   for detecting or protecting...

H04L 63/1441   Countermeasures against mal...

Client token storage for cross-site request forgery protection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Client token storage for cross-site request forgery protection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links