Search

US-20260127253-A1 - SESSION REUSE IN DIFFERENT BROWSING CONTEXTS

US20260127253A1US 20260127253 A1US20260127253 A1US 20260127253A1US-20260127253-A1

Abstract

The present disclosure relates to computer-implemented methods, software, and systems for reusing an existing user session in different browsing contexts. A request associated with a user can be received. The request can be for loading a first web application in an embedding context of a second web application, where a user is authenticated into the second web application at a first identity provider. A unique identifier can be generated to be assigned to a session for loading the first web application in a new browsing tab. The first web application can be triggered to be loaded into the new browsing tab by assigning the unique identifier to a current session of the user. The first web application can be refreshed into the embedded context of the second web application to search for a session associated with the generated identified and to reuse the session for rendering.

Inventors

  • Radoslav Ivanov Sugarev
  • Ivan Krastev Ikonomov

Assignees

  • SAP SE

Dates

Publication Date
20260507
Application Date
20241105

Claims (20)

  1. 1 . A computer-implemented method, comprising: receiving a request associated with a user to load a first web application in an embedding context of a second web application, wherein a user is authenticated into the second web application at a first identity provider; based on the received request, generating a unique identifier to be assigned to a session for loading the first web application in a new browsing tab; triggering to load the first web application into the new browsing tab by assigning the unique identifier to a current session of the user; and refreshing the first web application into the embedded context of the second web application to search for a session associated with the generated identified and to reuse the session for rendering.
  2. 2 . The method of claim 1 , wherein triggering to load the first web application comprises: determining whether there is an existing session for the user at the first web application; and in response to determining that the existing session is the current session, assigning the current session with the unique identifier.
  3. 3 . The method of claim 1 , wherein triggering to load the first web application comprises: determining whether there is an existing session for the user at the first web application; in response to determining that there is no existing session for the user at the first web application, generating the current session for the user at the first web application, and generating session cookies comprising user credentials; and assigning the current session with the unique identifier.
  4. 4 . The method of claim 3 , wherein in response to determining that there is no existing session for the user, triggering authentication of the user for the first web application at a second identity provider.
  5. 5 . The method of claim 4 , wherein the first identity provider and the second identity provider are not identical.
  6. 6 . The method of claim 4 , wherein the second identity provider is identical to the first identity provider, and wherein, when the authentication of the user is triggered at the first identity provider, an established session for the user when the user was authenticated for the second web application is reused for authenticating the user for the first web application.
  7. 7 . The method of claim 1 , wherein the first web application is associated with a plurality of application instances, wherein generating the unique identifier is performed by a first instance of the first web application.
  8. 8 . The method of claim 7 , wherein generating the current session for the user is performed at a second instance of the first web application different from the first instance.
  9. 9 . A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform one or more operations, comprising: receiving a request associated with a user to load a first web application in an embedding context of a second web application, wherein a user is authenticated into the second web application at a first identity provider; based on the received request, generating a unique identifier to be assigned to a session for loading the first web application in a new browsing tab; triggering to load the first web application into the new browsing tab by assigning the unique identifier to a current session of the user; and refreshing the first web application into the embedded context of the second web application to search for a session associated with the generated identified and to reuse the session for rendering.
  10. 10 . The non-transitory, computer-readable medium of claim 9 , wherein triggering to load the first web application comprises: determining whether there is an existing session for the user at the first web application; and in response to determining that the existing session is the current session, assigning the current session with the unique identifier.
  11. 11 . The non-transitory, computer-readable medium of claim 9 , wherein triggering to load the first web application comprises: determining whether there is an existing session for the user at the first web application; in response to determining that there is no existing session for the user at the first web application, generating the current session for the user at the first web application, and generating session cookies comprising user credentials; and assigning the current session with the unique identifier.
  12. 12 . The non-transitory, computer-readable medium of claim 11 , wherein in response to determining that there is no existing session for the user, triggering authentication of the user for the first web application at a second identity provider.
  13. 13 . The non-transitory, computer-readable medium of claim 12 , wherein the first identity provider and the second identity provider are not identical.
  14. 14 . The non-transitory, computer-readable medium of claim 12 , wherein the second identity provider is identical to the first identity provider, and wherein, when the authentication of the user is triggered at the first identity provider, an established session for the user when the user was authenticated for the second web application is reused for authenticating the user for the first web application.
  15. 15 . A computer-implemented system, comprising: one or more computers; and one or more computer memory devices interoperably coupled with the one or more computers and having tangible, non-transitory, machine-readable media storing one or more instructions that, when executed by the one or more computers, perform one or more operations, comprising: receiving a request associated with a user to load a first web application in an embedding context of a second web application, wherein a user is authenticated into the second web application at a first identity provider; based on the received request, generating a unique identifier to be assigned to a session for loading the first web application in a new browsing tab; triggering to load the first web application into the new browsing tab by assigning the unique identifier to a current session of the user; and refreshing the first web application into the embedded context of the second web application to search for a session associated with the generated identified and to reuse the session for rendering.
  16. 16 . The system of claim 15 , wherein triggering to load the first web application comprises: determining whether there is an existing session for the user at the first web application; and in response to determining that the existing session is the current session, assigning the current session with the unique identifier.
  17. 17 . The system of claim 15 , wherein triggering to load the first web application comprises: determining whether there is an existing session for the user at the first web application; in response to determining that there is no existing session for the user at the first web application, generating the current session for the user at the first web application, and generating session cookies comprising user credentials; and assigning the current session with the unique identifier.
  18. 18 . The system of claim 17 , wherein in response to determining that there is no existing session for the user, triggering authentication of the user for the first web application at a second identity provider.
  19. 19 . The system of claim 18 , wherein the first identity provider and the second identity provider are not identical.
  20. 20 . The system of claim 18 , wherein the second identity provider is identical to the first identity provider, and wherein, when the authentication of the user is triggered at the first identity provider, an established session for the user when the user was authenticated for the second web application is reused for authenticating the user for the first web application.

Description

TECHNICAL FIELD The present disclosure relates to computer-implemented methods, software, and systems for access management and security. BACKGROUND Software applications can provide services and access resources. Resources may be restricted to a limited number of users based on user rights and roles. Tokens, credentials, keys, or other suitable methods and tools can be used to authenticate requests to gain access to restricted resources. Applications can be provided in a shared context where one application can be accessible through another application. When a user requests access to a resource provided by an application, the user may be validated to determine whether the user is authorized to access the resource, which can happen through an identity provider. SUMMARY The present disclosure describes mechanisms to implement an authentication mechanism that allows reuse of an existing user sessions in different browsing contexts. In some instances, a method includes: receiving a request associated with a user to load a first web application in an embedding context of a second web application, wherein a user is authenticated into the second web application at a first identity provider; based on the received request, generating a unique identifier to be assigned to a session for loading the first web application in a new browsing tab; triggering to load the first web application into the new browsing tab by assigning the unique identifier to a current session of the user; and refreshing the first web application into the embedded context of the second web application to search for a session associated with the generated identified and to reuse the session for rendering. In some instances, triggering to load the first web application can include: determining whether there is an existing session for the user at the first web application; and in response to determining that the existing session is the current session, assigning the current session with the unique identifier. In some instances, triggering to load the first web application can include: determining whether there is an existing session for the user at the first web application. In response to determining that there is no existing session for the user at the first web application, the current session for the user at the first web application can be generated and session cookies including user credentials can be generated. The current session can be assigned with the unique identifier. In some instances, it can be determined that there is no existing session for the user. Authentication of the user for the first web application at a second identity provider can be triggered. In some instances, the first identity provider and the second identity provider can be identical. In some instances, the second identity provider can be identical to the first identity provider. When the authentication of the user is triggered at the first identity provider, an established session for the user when the user was authenticated for the second web application can be reused for authenticating the user for the first web application. In some instances, the first web application can be associated with a plurality of application instances, wherein generating the unique identifier is performed by a first instance of the first web application. In some cases, generating the current session for the user can be performed at a second instance of the first web application different from the first instance. The described subject matter can be implemented using a computer-implemented method; a non-transitory, computer-readable medium storing computer-readable instructions to perform the computer-implemented method; and a computer-implemented system including one or more computer memory devices interoperably coupled with one or more computers and having tangible, non-transitory, machine-readable media storing instructions that, when executed by the one or more computers, perform the computer-implemented method/the computer-readable instructions stored on the non-transitory, computer-readable medium. The subject matter described in this specification can be implemented to realize one or more of the following advantages. The techniques of the present disclosure support a secure authentication mechanism that connects instances invoked by a user by reusing existing user sessions even in cases where a browser application limits the sharing of cookies between browsing tabs. If browsing contexts in a browser cannot share be shared, authentication is to be performed separately and also logging out on one browser tab (one context) would not lead to logging out on another tab (another context for the same application). Based on techniques of the present disclosure, the authentication implementation on the application side can be adjusted so that authentication in a given new browsing tab is triggered only when the application is accessed through an embedded context of another applications. Di