Many services can be accessed using both a native client application and a web interface. For example, a user may be able to access files stored in an online file storage system using both a client application provided by the storage service that is installed on the user's device and through a web browser. Some systems may provide only a subset of functionality through either the client application or the web interface. In these configurations a user may be able to initiate a particular feature from an interface where the feature is not actually available and the initiation action can result in activation of the feature on the other interface. For example, a user may initiate an account settings feature from the client application. This action would result in automatically opening a web browser with the account settings page loaded.
To present user account specific features through a web interface, the user generally must be authenticated with the server. A way to accomplish this is to present the user with a log in page prior to presenting the requested feature. This is a viable approach, but it degrades the user experience. A better user experience could use the fact that the user is already authenticated on the client application to automatically authenticate the user through the web interface. A straightforward technique for logging a user in to a website using a client application to authenticate the user is to pass the authentication information, such as the user's password, in a uniform resource locator (URL). However, this approach has a number of security issues. One important security problem is that anyone with access to the URL can use it to access the user's account. For example, if the user posts the URL to a social media site anyone can use the URL to log in to the user's account.