摘要 |
An apparatus and a method for validating requests to thwart cross-site attacks is described. A user identifier token, a request identifier token, and a timestamp, are generated at a web application of a server. A Message Authentication Code (MAC) value is formed based on the user identifier token, the request identifier token, and the timestamp using a secret key of the web application. The form is sent with the MAC value and the time stamp to a client. A completed form comprising a returned MAC value and a returned timestamp is received from the client. The completed form is validated at the server based on the returned MAC value and the returned timestamp. |
主权项 |
1. A method comprising:
generating, by a processing device at a server, a user identifier token, a request identifier token, and an original timestamp, wherein the request identifier token identifies a requested action; composing, by the server using a secret key, an original Message Authentication Code (MAC) value in view of the user identifier token, the request identifier token, and the original timestamp; sending, from the server to a client, the original MAC value, the original timestamp, and an original form of a web application hosted by the server; receiving, at the server from the client, a completed form comprising a returned MAC value and a returned timestamp; and validating, by the server, the completed form in view of the returned MAC value and the returned timestamp. |