Methods and devices for accessing protected applications
US-2019057204-A1 · Feb 21, 2019 · US
Application-specific session authentication
US10587697B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10587697-B2 |
| Application number | US-201815927786-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 21, 2018 |
| Priority date | Mar 21, 2018 |
| Publication date | Mar 10, 2020 |
| Grant date | Mar 10, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods, systems, and devices for application-specific session authentication are described. In some systems, a host server may authenticate a single-page application utilizing token-based verification. For example, a user device running the single-page application embedded within a container webpage may transmit a resource request including a session-identifying token to the host server. The host server may identify whether the session-identifying token is included in the resource request from the single-page application in order to determine whether to grant resource access for the request. If the request includes the token, the host server may determine that the request is from the single-page application, and may transmit the requested resources to the user device to load or update the embedded application. Using the token-based scheme, the host server may grant access to requests from the specific application, while restricting resource access to any requests received from other entities of the user device.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for application-specific session authentication, comprising: receiving, at a host server, a resource request comprising a session-identifying token and an indication of requested resources; identifying that the resource request is received from a single-page application embedded in a first container webpage of a web browser based at least in part on receiving the session-identifying token with the resource request; establishing an application-specific session with the single-page application based at least in part on the identifying, wherein the application-specific session grants the single-page application access to resources associated with the host server; transmitting, to the single-page application, the requested resources indicated by the resource request based at least in part on the established application-specific session; hosting, at the host server, cross-domain session storage specific to the single-page application; storing, in the cross-domain session storage, the session-identifying token; identifying a switch, in the web browser, from the first container webpage to a second container webpage of a different domain than the first container webpage; and reloading the single-page application embedded in the second container webpage based at least in part on maintaining the application-specific session using the session-identifying token stored in the cross-domain session storage. 2. The method of claim 1 , further comprising: storing session data for the container webpage, the single-page application, or both in the cross-domain session storage. 3. The method of claim 2 , further comprising: receiving, at the host server, a request to reload the single-page application in the second container webpage; and transmitting the session data stored in the cross-domain session storage based at least in part on the session-identifying token stored in the cross-domain session storage, wherein reloading the single-page application is based at least in part on transmitting the session data. 4. The method of claim 1 , wherein the session-identifying token is stored in the cross-domain session storage based at least in part on a user login procedure. 5. The method of claim 4 , wherein the resource request refers to the first container webpage, the method further comprising: receiving, at the host server, an additional resource request referring to the second container webpage, wherein the additional resource request comprises the session-identifying token based at least in part on the cross-domain session storage; and identifying that the additional resource request is received from the single-page application embedded in the second container webpage based at least in part on receiving the session-identifying token with the additional resource request. 6. The method of claim 4 , further comprising: removing the session-identifying token from the cross-domain session storage based at least in part on a user logout procedure. 7. The method of claim 1 , further comprising: receiving, at the host server and from the first container webpage, an additional resource request comprising an indication of additional requested resources associated with the host server; determining that the additional resource request does not comprise the session-identifying token based at least in part on the additional resource request being from the first container webpage and not from the single-page application embedded in the first container webpage; and restricting access to the additional requested resources based at least in part on the determining. 8. The method of claim 1 , wherein: the first container webpage corresponds to a tenant of the host server; and the application-specific session grants the single-page application access to tenant-specific resources for the tenant and associated with the host server. 9. The method of claim 1 , further comprising: transmitting, to the first container webpage, a session-identifying cookie based at least in part on establishing the application-specific session with the single-page application; and receiving, at the host server, one or more additional resource requests comprising the session-identifying cookie. 10. The method of claim 1 , further comprising: granting the application-specific session access to a subset of the resources associated with the host server, wherein the subset of the resources is based at least in part on permissions for the single-page application. 11. The method of claim 1 , wherein the session-identifying token comprises an open authorization (OAUTH) token. 12. The method of claim 1 , wherein the resource request comprises an XMLHttpRequest (XHR). 13. The method of claim 1 , wherein the session-identifying token is included in a header of the resource request. 14. An apparatus for application-specific session authentication, comprising: a processor; memory in electronic communication with the processor; and instructions stored in the memory and executable by the processor to cause the apparatus to: receive, at a host server, a resource request comprising a session-identifying token and an indication of requested resources; identify that the resource request is received from a single-page application embedded in a first container webpage of a web browser based at least in part on receiving the session-identifying token with the resource request; establish an application-specific session with the single-page application based at least in part on the identifying, wherein the application-specific session grants the single-page application access to resources associated with the host server; transmit, to the single-page application, the requested resources indicated by the resource request based at least in part on the established application-specific session; host, at the host server, cross-domain session storage specific to the single-page application; store, in the cross-domain session storage, the session-identifying token; identify a switch, in the web browser, from the first container webpage to a second container webpage of a different domain than the first container webpage; and reload the single-page application embedded in the second container webpage based at least in part on maintaining the application-specific session using the session-identifying token stored in the cross-domain session storage. 15. The apparatus of claim 14 , wherein the instructions are further executable by the processor to cause the apparatus to: store session data for the container webpage, the single-page application, or both in the cross-domain session storage. 16. The apparatus of claim 14 , wherein the instructions are further executable by the processor to cause the apparatus to: receive, at the host server and from the first container webpage, an additional resource request comprising an indication of additional requested resources associated with the host server; determine that the additional resource request does not comprise the session-identifying token; and restrict access to the additional requested resources based at least in part on the determining. 17. The apparatus of claim 14 , wherein the instructions are further executable by the processor to cause the apparatus to: transmit, to the first container webpage, a session-identifying cookie based at least in part on establishing the application-specific session with the single-page application; and receive, at the host server, one or more additional resource requests comprising the session-
Assignees
Inventors
Classifications
- H04L67/146Primary
Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding · CPC title
Setup of application sessions (admission control or resource allocation in data switching networks H04L47/70) · CPC title
Migration or transfer of sessions · CPC title
using tickets, e.g. Kerberos (cryptographic mechanisms or cryptographic arrangements for entity authentication using tickets or tokens H04L9/3213) · CPC title
using delegated authorisation, e.g. open authorisation [OAuth] protocol · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10587697B2 cover?
- Methods, systems, and devices for application-specific session authentication are described. In some systems, a host server may authenticate a single-page application utilizing token-based verification. For example, a user device running the single-page application embedded within a container webpage may transmit a resource request including a session-identifying token to the host server. The h…
- Who is the assignee on this patent?
- Salesforce Com Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L67/146. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 10 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).