-
公开(公告)号:US20170223051A1
公开(公告)日:2017-08-03
申请号:US15494623
申请日:2017-04-24
CPC分类号: H04L63/1466 , G06F21/44 , G06F2221/2119 , G06F2221/2129 , H04L9/3213 , H04L9/3234 , H04L9/3242 , H04L63/10 , H04L63/123
摘要: An HTML document includes a JavaScript element that manages CSRF token use. When the HTML document is rendered, the JavaScript element asynchronously requests a CSRF token from the server. In response, the server generates a JWT using a keyed HMAC algorithm. The resulting JWT, which functions as a CSRF token, is returned to the user where it is stored in a protected variable inside the JavaScript element. The CSRF token is therefore stateless and isn't stored in a server-side repository. When the user later requests access to a server resource, the CSRF token is included in such request. This may be accomplished by adding a hidden input field that includes the CSRF token to the submission that's transmitted to the server. If the server cannot validate the received token using the HMAC key that was originally used to generate the token, the request is considered unauthorized and is not processed.
-
公开(公告)号:US09774622B2
公开(公告)日:2017-09-26
申请号:US15494623
申请日:2017-04-24
CPC分类号: H04L63/1466 , G06F21/44 , G06F2221/2119 , G06F2221/2129 , H04L9/3213 , H04L9/3234 , H04L9/3242 , H04L63/10 , H04L63/123
摘要: An HTML document includes a JavaScript element that manages CSRF token use. When the HTML document is rendered, the JavaScript element asynchronously requests a CSRF token from the server. In response, the server generates a JWT using a keyed HMAC algorithm. The resulting JWT, which functions as a CSRF token, is returned to the user where it is stored in a protected variable inside the JavaScript element. The CSRF token is therefore stateless and isn't stored in a server-side repository. When the user later requests access to a server resource, the CSRF token is included in such request. This may be accomplished by adding a hidden input field that includes the CSRF token to the submission that's transmitted to the server. If the server cannot validate the received token using the HMAC key that was originally used to generate the token, the request is considered unauthorized and is not processed.
-
公开(公告)号:US09660809B2
公开(公告)日:2017-05-23
申请号:US14820607
申请日:2015-08-07
CPC分类号: H04L63/1466 , G06F21/44 , G06F2221/2119 , G06F2221/2129 , H04L9/3213 , H04L9/3234 , H04L9/3242 , H04L63/10 , H04L63/123
摘要: An HTML document includes a JavaScript element that manages CSRF token use. When the HTML document is rendered, the JavaScript element asynchronously requests a CSRF token from the server. In response, the server generates a JWT using a keyed HMAC algorithm. The resulting JWT, which functions as a CSRF token, is returned to the user where it is stored in a protected variable inside the JavaScript element. The CSRF token is therefore stateless and isn't stored in a server-side repository. When the user later requests access to a server resource, the CSRF token is included in such request. This may be accomplished by adding a hidden input field that includes the CSRF token to the submission that's transmitted to the server. If the server cannot validate the received token using the HMAC key that was originally used to generate the token, the request is considered unauthorized and is not processed.
-
公开(公告)号:US20170041144A1
公开(公告)日:2017-02-09
申请号:US14820607
申请日:2015-08-07
CPC分类号: H04L63/1466 , G06F21/44 , G06F2221/2119 , G06F2221/2129 , H04L9/3213 , H04L9/3234 , H04L9/3242 , H04L63/10 , H04L63/123
摘要: An HTML document includes a JavaScript element that manages CSRF token use. When the HTML document is rendered, the JavaScript element asynchronously requests a CSRF token from the server. In response, the server generates a JWT using a keyed HMAC algorithm. The resulting JWT, which functions as a CSRF token, is returned to the user where it is stored in a protected variable inside the JavaScript element. The CSRF token is therefore stateless and isn't stored in a server-side repository. When the user later requests access to a server resource, the CSRF token is included in such request. This may be accomplished by adding a hidden input field that includes the CSRF token to the submission that's transmitted to the server. If the server cannot validate the received token using the HMAC key that was originally used to generate the token, the request is considered unauthorized and is not processed.
摘要翻译: HTML文档包含一个管理CSRF令牌使用的JavaScript元素。 当呈现HTML文档时,JavaScript元素异步地从服务器请求一个CSRF令牌。 作为响应,服务器使用密钥HMAC算法生成JWT。 作为CSRF令牌的结果JWT将返回给用户,并将其存储在JavaScript元素内的受保护变量中。 因此,CSRF令牌是无状态的,不存储在服务器端存储库中。 当用户稍后请求访问服务器资源时,CSRF令牌被包含在这样的请求中。 这可以通过将包含CSRF令牌的隐藏输入字段添加到发送到服务器的提交来实现。 如果服务器无法使用最初用于生成令牌的HMAC密钥来验证接收到的令牌,则该请求被视为未经授权,不会被处理。
-
-
-
搜索结果
4 条记录 (耗时 0.018 秒)
