Patent · US Active

Dynamic cross-site request forgery protection in a web-based client application

US9191405B2 · kind B2 · utility

2Cited by

32References

15Claims

0Family size

Assignee

MICROSOFT TECHNOLOGY LICENSING, LLC · US

Inventors

Thomas P. Gallagher · Redmond, US
Venkataramann Renganathan · Sammamish, US
Brian Carver · Kirkland, US
Muhammed Serdar Soran · Seattle, US
Matthew Michael Swann · Bothell, US
Trace David Ferrier · Redmond, US

Key dates

Filing date	Jan 30, 2012
Grant date	Nov 17, 2015
Priority date	—
Expiry date	Jan 30, 2032

Classification

Technology area (CPC H)Electricity
CPC primaryH04W12/062
WIPO fieldDigital communication
WIPO sectorElectrical engineering

Abstract

A canary value is used to validate a message from a non-web browser client application to a web server providing web services to mitigate cross-site forgery attacks. The canary value is generated by the server in party by applying a hash function to a user identifier and a time stamp. The server provides the canary value to the client application in response to receiving a message that does not have a canary or has an expired canary. The client application upon receiving an error message with a canary message will resend the prior message with the canary value present. The client application caches the canary value for subsequent messages until a new canary value is received. The canary value allows the server to ignore messages generated by the client application under control of an attacker.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.