1. Technical Field
This disclosure relates generally to web application security and, in particular, to enabling a user to access the application using a link in a notification message but without requiring the user to re-enter login credentials.
2. Background of the Related Art
Many web applications send their users various notification messages (typically emails) from which the users can access the application by selecting a URL in the message. When a user receives the notification email having the embedded URL, he or she selects the embedded link, which opens the user's browser to a login page. At the page, the user is challenged to enter credentials to authenticate to the application. This approach, which requires the user to enter information manually, results in a poor user experience; also, it trains users to enter their credentials in response to links included in emails, an opportunity that is often exploited extensively in phishing attacks.
One solution to the problem of requiring users to manually login to the web application when they follow a notification email link is for the user to instruct the browser to remember some user credential; in this way, the credential does not have to be re-entered on each occasion when login is required. Another solution is for the application to offer a “remember me” option so that the user stays logged into the application (or is logged in automatically). These solutions provide some benefits, but only when the user accesses the application from the same web browser, which limits their usefulness. Yet another solution is to include URLs in notification emails that contain all of the data (e.g., a secret or signed parameter) that is required to authenticate the user. This approach, however, suffers from a serious security flaw because anyone who happens to have access to the notification email (e.g., because the user has forwarded it while being unaware of the consequences) may access the application on the user's behalf.
HTTP cookies (see IETF RFC6265) provide a way of managing sessions and state between web browsers and web servers using the HTTP protocol. In a typical browser-server interaction, a Web application sets a cookie, and the cookie is returned to the browser to present with subsequent requests until the cookie is expired by the web application. Web applications leverage cookies for security purposes, such as authentication, and session control.