Browse Prior Art Database

Method of preventing spoofing of sessions in a progressive web app

IP.com Disclosure Number: IPCOM000254891D
Publication Date: 2018-Aug-10
Document File: 4 page(s) / 657K

Publishing Venue

The IP.com Prior Art Database

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 55% of the total text.

Method of preventing spoofing of sessions in a progressive web app

By copying the cookies and local storage from a browser it is easily possible to spoof a user’s login this could be a major threat to a user’s privacy and data. The local state of a web application is maintained by a browser in i . Cookies ii. Local Storage b. By copying the above data from one browser/device to another or using cross-site scripting, it is possible to spoof a user’s login.

c. Even though the use of JSON Web Tokens (JWT) specifies an expiration time for the tokens, damage can be done by an attacker within the expiration time.

Here we aim to provide a solution to prevent spoofing of a web session by an attacker with either physical access to the browser’s storage or by the use of XSS.

Solution

1. For the very first call to server, the web app in the browser generates a JSON Web Token and sends it to the server. The web app also stores the current timestamp in service worker memory. The above JWT is encrypted the signed JWS is the actual payload sent to the server. 2. The server receives the JWS and decrypts the JWS and assigns a client id to the browser. It also stores the following data in a table: | Client ID | Current server timestamp | browser fingerprint | geo location coordinates The server response to the web app contains the client id assigned to it and a list of seeds. The server additionally creates a list of seeds. Seeds are 8-bit set of random characters and numbered starting from 1. 3. The web app stores the client ID into service worker memory and the generated list of seeds. 4a. The web app prompts the user to allow access for Push 4b. If access has been provided for push notifications, a request to register to push notifications is sent to the server else do nothing.

5. On receiving a register request to push notifications, the server sends a push notification to the webapp with a unique token. [Only if step 4a was Yes]

6. The client app adds the unique token received to the service worke...