Secure client-server communication

Assignee

• International Business Machines Corporation · US

Inventors

• Vincent Burckhardt · Clonee, IE
• Carlos C. Manias Diez · Dublin, IE
• Olgierd Stanislaw Pieczul · Dublin, IE

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04W4/02
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A secure client-server connection method compatible with RESTful (REpresentational State Transfer) APIs (Application Programming Interface) that is resistant to cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. The server generates a token for the client and a random value which it pairs with the token. The random value is hashed. The hash value is transmitted to the client contained in the token and the random value is transmitted to the client contained in an HTTPOnly cookie. Even if an attacker steals the token and/or the hash, security is maintained, since the server verifies communications from the client by validating the token on the basis of its hash value. Validation is performed by the server hashing the random value contained in the HTTPOnly cookie paired with the token to obtain a further hash value, and checking that this further hash value matches the token's hash value.