阅读说明：本技术 用于防止域门户上会话固定的系统和方法 (System and method for preventing session pinning on a domain portal ) 是由 罗伊·尤达森 俄林·阿尔夫·埃林森 伊泰·杜乌德瓦尼 奥伦·哈菲夫 于 2017-05-26 设计创作，主要内容包括：在一个实施例中,方法包括系统从用户的设备接收请求,该请求被定向到第一主机。系统可以生成密钥、验证令牌和加密密钥。系统可以从第一主机向设备传输验证令牌和加密密钥,并且传输指令,指令被配置成使得：(1)验证令牌被存储为与第一主机相关联的cookie,以及(2)设备向第二主机传输加密密钥。系统可以从设备接收包括加密密钥的第二请求,并在确定加密密钥之前未被解密过时对其进行解密以获得密钥。系统可以从第二主机向设备传输密钥,并指示设备将密钥存储为与第二主机相关联的cookie。(In one embodiment, a method includes a system receiving a request from a device of a user, the request directed to a first host. The system may generate a key, an authentication token, and an encryption key. The system may transmit an authentication token and an encryption key from the first host to the device, and transmit instructions configured to cause: (1) the authentication token is stored as a cookie associated with the first host, and (2) the device transmits the encryption key to the second host. The system may receive a second request from the device that includes the encryption key and decrypt the encryption key to obtain the key when it is determined that it was not decrypted before. The system may transmit the key from the second host to the device and instruct the device to store the key as a cookie associated with the second host.)

1. A method, comprising:

receiving, by a computing system, a first request from a client device associated with a user, the first request directed to a first host associated with the computing system;

generating, by the computing system, a key in response to the first request;

generating, by the computing system, an authentication token based on the key;

generating, by the computing system, an encryption key based on the key;

transmitting, by the computing system, a first instruction, the authentication token, and the encryption key from a first host associated with the computing system to the client device, the first instruction configured to:

causing the authentication token to be stored on the client device as a first cookie, the first cookie associated with the first host;

causing the client device to transmit the encryption key to a second host associated with the computing system;

receiving, by the computing system, a second request comprising the encryption key from the client device;

decrypting, by the computing system, the received encryption key to obtain the key when it is determined that the encryption key was not decrypted before; and

transmitting, by the computing system, from the second host to the client device, a second instruction and the key obtained by the decrypting, the second instruction configured to cause the key obtained by the decrypting to be stored on the client device as a second cookie, the second cookie associated with the second host.

2. The method of claim 1, further comprising:

receiving, by the computing system, a previous request from the client device, wherein the previous request is directed to a third host associated with the computing system and received before the request is received; and

transmitting, by the computing system, a redirection instruction to the client device in response to the previous request, the redirection instruction configured to cause the client device to send the first request to the first host.

3. The method of claim 1, further comprising:

generating, by the computing system, a one-time random number; and

transmitting, by the computing system, the one-time nonce to the client device;

wherein the first instructions are configured to cause the client device to transmit the nonce with the encryption key to the second host associated with the computing system; and

wherein determining that the encryption key has not been previously decrypted is based on the one-time nonce.

4. The method of claim 3, further comprising:

receiving, by the computing system, a third request from a second client device associated with a second user, the third request comprising the encryption key and the nonce;

determining, by the computing system, that (1) the one-time random number was previously used, or (2) the one-time random number is not bound to the encryption key; and

rejecting, by the computing system, the third request.

5. The method of claim 1, wherein the first cookie is configured to be accessible by client-side scripts, wherein the second cookie is configured to be inaccessible by client-side scripts.

6. The method of claim 1, wherein the first host and the second host are different.

7. The method of claim 1, wherein the second host is configured to provide access to a webpage hosted by a third party.

8. The method of claim 1, further comprising:

receiving, by the computing system, a third request from the client device that includes the key stored as the second cookie;

generating, by the computing device, a second validation token based on the key received with the third request; and

transmitting, by the computing device and in response to the third request, a web page to the client device, the web page including the second verification token and instructions configured to cause the client device to:

comparing the second authentication token with an authentication token stored as the first cookie; and

determining whether to present the web page based on the comparison.

9. One or more computer-readable non-transitory storage media embodying software that is operable when executed to:

receiving a first request from a client device associated with a user, the first request directed to a first host associated with a computing system;

generating a key in response to the first request;

generating an authentication token based on the key;

generating an encryption key based on the key;

transmitting, from a first host associated with the computing system to the client device, a first instruction, the authentication token, and the encryption key, the first instruction configured to:

causing the authentication token to be stored on the client device as a first cookie, the first cookie associated with the first host;

causing the client device to transmit the encryption key to a second host associated with the computing system;

receiving a second request comprising the encryption key from the client device;

decrypting the received encryption key to obtain the key upon determining that the encryption key has not been previously decrypted; and

transmitting, from the second host to the client device, a second instruction and the key obtained by decryption, the second instruction configured to cause the key obtained by decryption to be stored on the client device as a second cookie, the second cookie being associated with the second host.

10. The media of claim 9, wherein the software when executed is further operable to:

receiving a previous request from the client device, wherein the previous request is directed to a third host associated with the computing system and received before the request is received; and

transmitting, to the client device, a redirection instruction in response to the previous request, the redirection instruction configured to cause the client device to send the first request to the first host.

11. The media of claim 9, wherein the software when executed is further operable to:

generating a disposable random number; and

transmitting the one-time nonce to the client device;

wherein the first instructions are configured to cause the client device to transmit the nonce with the encryption key to the second host associated with the computing system; and

wherein determining that the encryption key has not been previously decrypted is based on the one-time nonce.

12. The media of claim 11, wherein the software when executed is further operable to:

receiving a third request from a second client device associated with a second user, the third request including the encryption key and the nonce;

determining (1) that the one-time random number was previously used, or (2) that the one-time random number is not bound to the encryption key; and

rejecting the third request.

13. The media of claim 9, wherein the second host is configured to provide access to a webpage hosted by a third party.

14. The media of claim 9, wherein the software when executed is further operable to:

receiving, from the client device, a third request comprising the key stored as the second cookie;

generating a second authentication token based on the key received with the third request; and

transmitting, to the client device in response to the third request, a web page including the second verification token and instructions configured to cause the client device to:

comparing the second authentication token with an authentication token stored as the first cookie; and

determining whether to present the web page based on the comparison.

15. A computing system, comprising:

one or more processors; and

one or more computer-readable non-transitory storage media coupled to one or more of the processors and comprising instructions that when executed by one or more of the processors are operable to cause the system to:

receiving a first request from a client device associated with a user, the first request directed to a first host associated with the computing system;

generating a key in response to the first request;

generating an authentication token based on the key;

generating an encryption key based on the key;

transmitting, from a first host associated with the computing system to the client device, a first instruction, the authentication token, and the encryption key, the first instruction configured to:

causing the authentication token to be stored on the client device as a first cookie, the first cookie associated with the first host;

causing the client device to transmit the encryption key to a second host associated with the computing system;

receiving a second request comprising the encryption key from the client device;

decrypting the received encryption key to obtain the key upon determining that the encryption key has not been previously decrypted; and

transmitting, from the second host to the client device, a second instruction and the key obtained by decryption, the second instruction configured to cause the key obtained by decryption to be stored on the client device as a second cookie, the second cookie being associated with the second host.

16. The system of claim 15, wherein the instructions, when executed, the processor is further operable to:

receiving a previous request from the client device, wherein the previous request is directed to a third host associated with the computing system and received before the request is received; and

transmitting, to the client device, a redirection instruction in response to the previous request, the redirection instruction configured to cause the client device to send the first request to the first host.

17. The system of claim 15, wherein the instructions, when executed, the processor is further operable to:

generating a disposable random number; and

transmitting the one-time nonce to the client device;

wherein the first instructions are configured to cause the client device to transmit the nonce with the encryption key to the second host associated with the computing system; and

wherein determining that the encryption key has not been previously decrypted is based on the one-time nonce.

18. The system of claim 17, wherein the instructions, when executed, the processor is further operable to:

receiving a third request from a second client device associated with a second user, the third request including the encryption key and the nonce;

determining (1) that the one-time random number was previously used, or (2) that the one-time random number is not bound to the encryption key; and

rejecting the third request.

19. The system of claim 15, wherein the second host is configured to provide access to a webpage hosted by a third party.

20. The system of claim 15, wherein the instructions, when executed, the processor is further operable to:

receiving, from the client device, a third request comprising the key stored as the second cookie;

generating a second authentication token based on the key received with the third request; and

transmitting, to the client device in response to the third request, a web page including the second verification token and instructions configured to cause the client device to:

comparing the second authentication token with an authentication token stored as the first cookie; and

determining whether to present the web page based on the comparison.

21. A computer-implemented method, comprising:

receiving, by a computing system, a first request from a client device associated with a user, the first request directed to a first host associated with the computing system;

generating, by the computing system, a key in response to the first request;

generating, by the computing system, an authentication token based on the key;

generating, by the computing system, an encryption key based on the key;

transmitting, by the computing system, a first instruction, the authentication token, and the encryption key from a first host associated with the computing system to the client device, the first instruction configured to:

causing the authentication token to be stored on the client device as a first cookie, the first cookie associated with the first host;

causing the client device to transmit the encryption key to a second host associated with the computing system;

receiving, by the computing system, a second request comprising the encryption key from the client device;

decrypting, by the computing system, the received encryption key to obtain the key when it is determined that the encryption key was not decrypted before; and

transmitting, by the computing system, from the second host to the client device, a second instruction and the key obtained by the decrypting, the second instruction configured to cause the key obtained by the decrypting to be stored on the client device as a second cookie, the second cookie associated with the second host.

22. The method of claim 21, further comprising:

receiving, by the computing system, a previous request from the client device, wherein the previous request is directed to a third host associated with the computing system and received before the request is received; and

transmitting, by the computing system, a redirection instruction to the client device in response to the previous request, the redirection instruction configured to cause the client device to send the first request to the first host.

23. The method of claim 21 or 22, further comprising:

generating, by the computing system, a one-time random number; and

transmitting, by the computing system, the one-time nonce to the client device;

wherein the first instructions are configured to cause the client device to transmit the nonce with the encryption key to the second host associated with the computing system; and

wherein determining that the encryption key has not been previously decrypted is based on the one-time nonce.

24. The method of claim 23, further comprising:

receiving, by the computing system, a third request from a second client device associated with a second user, the third request comprising the encryption key and the nonce;

determining, by the computing system, that (1) the one-time random number was previously used, or (2) the one-time random number is not bound to the encryption key; and

rejecting, by the computing system, the third request.

25. The method of any of claims 21 to 24, wherein the first cookie is configured to be accessible by client side scripts, wherein the second cookie is configured to be inaccessible by client side scripts.

26. The method of any of claims 21 to 25, wherein the first host and the second host are different.

27. The method of any of claims 21 to 26, wherein the second host is configured to provide access to a webpage hosted by a third party.

28. The method of any of claims 21 to 27, further comprising:

receiving, by the computing system, a third request from the client device that includes the key stored as the second cookie;

generating, by the computing device, a second validation token based on the key received with the third request; and

transmitting, by the computing device and in response to the third request, a web page to the client device, the web page including the second verification token and instructions configured to cause the client device to:

comparing the second authentication token with an authentication token stored as the first cookie; and

determining whether to present the web page based on the comparison.

29. One or more computer-readable non-transitory storage media embodying software that is operable when executed by one or more processors of a computing system to cause the processors, in particular the computing system, to perform a method comprising all the steps of the method according to any of claims 21 to 28.

30. A computing system, comprising: one or more processors; and one or more computer-readable non-transitory storage media coupled to one or more of the processors and comprising instructions operable, when executed by one or more of the processors, to cause the system to perform a method comprising all the steps of the method according to any one of claims 21 to 28.

Technical Field

The present disclosure relates generally to systems and methods for improving online security (e.g., preventing session fixing attacks).

Background

Online applications (e.g., websites) may enable people to access the internet in places that may not afford internet access via data plans. Online applications may act like portals, allowing third party content and service providers to provide content and services to people who would otherwise not have access to their websites. Any content provided by the online application, including third party website content, may be provided under the domain of the online application.

A mobile computing device (e.g., a smartphone, tablet computer, or laptop computer) may include functionality for determining its position, direction, or orientation, such as a GPS receiver, compass, gyroscope, or accelerometer. Such devices may also include functionality for wireless communications, such as bluetooth communications, Near Field Communications (NFC), or Infrared (IR) communications, or communications with a Wireless Local Area Network (WLAN) or a cellular telephone network. Such devices may also include one or more cameras, scanners, touch screens, microphones, or speakers. The mobile computing device may also execute software applications, such as games, web browsers, or social networking applications. Using social networking applications, users can connect, communicate, and share information with other users in their social networks.

Summary of the specific embodiments

Certain embodiments disclosed herein relate to an online portal (e.g., hosted at 0.fbs.com) that provides people with access to internet services in a marketplace that may be less affordable for internet access. Through the portal, third-party websites can be obtained free of charge without incurring data charges. These third party websites may be considered subdomains on 0. fbs.com. For example, a third-party website hosted at www.3rdparty.com may be obtained through a portal from host (host) www-3rdparty-com.0. fbs.com. Because third-party websites are subdomains, user cookies associated with higher-level domains (e.g., 0.fbs. com) may be vulnerable to attack from, for example, a client-side scripting language hosted on the third-party websites.

To address this security issue, certain embodiments disclosed herein cause the authentication token to be stored as a cookie associated with a secure source that is independent of the third party source, such that the authentication token cookie cannot be accessed and/or modified by client-side scripts (which may be malicious) hosted by the third party source. In particular embodiments, a user may request that a session be established with a portal. The host of the portal may redirect the user's browser to a secure source rather than providing the user directly with the requested session key. The secure source may provide the user with an authentication token in response to the user's request, which the browser may use to verify the integrity of the session key used in subsequent communications. The authentication token may be stored as a cookie associated with the secure source. The secure source may also provide the user with an encrypted version of the session key and a nonce (nonce) and redirect the user's browser to the rewrite source or agent through which the third party website is provided on the portal. In particular embodiments, the redirection may cause an encrypted version of the session key and the nonce to be presented to the rewrite source. If the nonce indicates that the encrypted key has not been previously decrypted, the server may decrypt the encrypted session key and return the decrypted session key to the browser for storage. The encrypted session key can only be decrypted once due to the nonce. Since only the user or attacker/hacker (but not both) can obtain the decrypted session key from the server, the user and attacker/hacker cannot both obtain the same session key, thereby preventing the session from being fixed.

The embodiments disclosed herein are merely examples, and the scope of the present disclosure is not limited to them. Particular embodiments may include all, some, or none of the components, elements, features, functions, operations, or steps of the above-disclosed embodiments. Embodiments in accordance with the present invention are specifically disclosed in the accompanying claims directed to methods, storage media, systems, and computer program products, wherein any feature referred to in one claim category (e.g., method) may also be claimed in another claim category (e.g., system). The dependencies or back-references in the appended claims are chosen for formal reasons only. However, any subject matter resulting from an intentional back-reference to any preceding claim (especially multiple claims) may also be claimed, such that any combination of a claim and its features is disclosed and may be claimed, irrespective of the chosen dependencies in the appended claims. The subject matter which can be claimed comprises not only the combination of features as set forth in the appended claims, but also any other combination of features in the claims, wherein each feature mentioned in the claims can be combined with any other feature or combination of other features in the claims. Furthermore, any of the embodiments and features described or depicted herein may be claimed in a separate claim and/or in any combination with any of the embodiments or features described or depicted herein or in any combination with any of the features of the appended claims.

In an embodiment, a computer-implemented method may be provided, the method comprising the steps of:

receiving, by a computing system, a first request from a client device associated with a user, the first request directed to a first host associated with the computing system;

generating, by the computing system, a key in response to the first request;

generating, by the computing system, an authentication token based on the key;

generating, by the computing system, an encryption key based on the key;

transmitting, by a computing system from a first host associated with the computing system to a client device, a first instruction, an authentication token, and an encryption key, the first instruction configured to:

causing the authentication token to be stored on the client device as a first cookie, the first cookie associated with the first host;

causing the client device to transmit the encryption key to a second host associated with the computing system;

receiving, by the computing system, a second request comprising the encryption key from the client device;

decrypting, by the computing system and before determining the encryption key, the received encryption key to obtain a key; and

transmitting, by the computing system, from the second host to the client device, a second instruction and a key obtained by the decrypting, the second instruction configured to cause the key obtained by the decrypting to be stored on the client device as a second cookie, the second cookie associated with the second host.

In implementation, one or more computer-readable non-transitory storage media may be provided, the storage media containing software that is operable, when executed by one or more processors of a computing system, to cause the processors, in particular the computing system, to perform a method comprising all the steps of the method according to any of the embodiments described herein or in the appended claims.

In an embodiment, a computing system may be provided, the computing system comprising: one or more processors; and one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions, in particular computer-executable instructions, which when executed by the one or more processors are operable to cause the system to perform a method comprising all the steps of the method according to any of the embodiments described herein or in the appended claims.

In an embodiment, the method may comprise:

receiving, by a computing system, a previous request (prior request) from a client device, wherein the previous request is directed to a third host associated with the computing system and received before the request is received; and

transmitting, by the computing system, a redirection instruction to the client device in response to the previous request, the redirection instruction configured to cause the client device to send the first request to the first host.

In an embodiment, the method may further comprise:

generating, by a computing system, a one-time random number; and

transmitting, by the computing system, a one-time random number to the client device;

wherein the first instructions are configured to cause the client device to transmit the one-time random number with the encryption key to a second host associated with the computing system; and

wherein the determination that the encryption key has not been previously decrypted is based on a nonce.

In an embodiment, the method may further comprise:

receiving, by the computing system, a third request from a second client device associated with a second user, the third request comprising an encryption key and a nonce;

determining, by the computing system, (1) that the one-time random number was previously used, or (2) that the one-time random number is not bound to the encryption key; and

the third request is denied by the computing system.

In an embodiment of the method, the first cookie may be configured to be accessible by the client-side script, wherein the second cookie may be configured to be inaccessible by the client-side script.

In an embodiment of the method, the first host and the second host may be different.

In an embodiment of the method, the second host may be configured to provide access to a webpage hosted by a third party.

In an embodiment, the method may further comprise:

receiving, by the computing system, a third request from the client device that includes a key stored as the second cookie;

generating, by the computing device, a second validation token based on the key received with the third request; and

transmitting, by the computing device and in response to the third request, a web page to the client device, the web page including a second validation token and instructions configured to cause the client device to:

comparing the second authentication token with the authentication token stored as the first cookie; and

it is determined whether to present the web page based on the comparison.