In the era of the Internet of Things, and with the proliferation of many different types of human interface devices, users may desire to maintain a session for a long period of time. However, if a session remains open for a period of time without receiving any communications from a particular device, to promote security and efficient use of resources the hosted service provider may desire to end the session. The user will then be required to log in to the hosted service again and begin a new session. This can lead to an undesirable user experience.
In the prior art, to maintain a stateful session using the Hypertext Transfer Protocol (HTTP), authentication cookies are commonly used. Authentication cookies are used by web servers to determine whether the user of a particular device is logged in to a session or not, and to identify the account with which the user has been logged in.
Because an authentication cookie is essentially just a session identifier, there is a risk that a malicious entity can attempt to impersonate a legitimate user's request by stealing the user's authentication cookie. From the web server's point of view, a malicious entity may appear to be the legitimate user because the malicious entity has the legitimate user's cookie.
To mitigate this risk, the web server may set a shorter cookie lifetime, so as to periodically invalidate potentially leaked authentication cookies. However, this can lead to a less than desirable user experience, as end users may be asked to authenticate again on a frequent basis, even when using a private device. In addition, a cookie is not useful for maintaining a session across multiple devices.
This document describes methods and systems for securely maintaining a user session for a long period of time, and in some embodiments across multiple hosted services and/or multiple devices.