Invention Grant
US09191405B2 Dynamic cross-site request forgery protection in a web-based client application
有权
基于Web的客户端应用程序中的动态跨站点请求伪造保护
- Patent Title: Dynamic cross-site request forgery protection in a web-based client application
- Patent Title (中): 基于Web的客户端应用程序中的动态跨站点请求伪造保护
-
Application No.: US13360816Application Date: 2012-01-30
-
Publication No.: US09191405B2Publication Date: 2015-11-17
- Inventor: Thomas Patrick Gallagher , Venkataramann Renganathan , Brian Thomas Carver , Muhammed Serdar Soran , Matthew Michael Swann , Trace David Ferrier
- Applicant: Thomas Patrick Gallagher , Venkataramann Renganathan , Brian Thomas Carver , Muhammed Serdar Soran , Matthew Michael Swann , Trace David Ferrier
- Applicant Address: US WA Redmond
- Assignee: Microsoft Technology Licensing, LLC
- Current Assignee: Microsoft Technology Licensing, LLC
- Current Assignee Address: US WA Redmond
- Agent Steve Crocker; Danielle Johnston-Holmes; Micky Minhas
- Main IPC: H04L29/06
- IPC: H04L29/06 ; H04W12/06
Abstract:
A canary value is used to validate a message from a non-web browser client application to a web server providing web services to mitigate cross-site forgery attacks. The canary value is generated by the server in party by applying a hash function to a user identifier and a time stamp. The server provides the canary value to the client application in response to receiving a message that does not have a canary or has an expired canary. The client application upon receiving an error message with a canary message will resend the prior message with the canary value present. The client application caches the canary value for subsequent messages until a new canary value is received. The canary value allows the server to ignore messages generated by the client application under control of an attacker.
Public/Granted literature
- US20130198294A1 DYNAMIC CROSS-SITE REQUEST FORGERY PROTECTION IN A WEB-BASED CLIENT APPLICATION Public/Granted day:2013-08-01
Information query
