Search

US-20260129037-A1 - System and Method for Enacting Authorized Mimicking of Authenticated Sessions in Web-Based Applications

US20260129037A1US 20260129037 A1US20260129037 A1US 20260129037A1US-20260129037-A1

Abstract

A method includes receiving, a request to mimic an authenticated session between a target device and a web application hosted at a web server. The method includes receiving a request from a UI gateway for an enactment authentication token and the request includes a target device identifier and a token associated with the enactment device. The method includes providing the enactment authentication token to the UI gateway. At a proxy server being at the same internet domain as the web server, a request is received to access an enactment session with the web application at the enactment device, the request includes the enactment authentication token. The enactment session is created between the enactment device and the web application. The enactment session between the enactment device and the web application mimics an authenticated session between the web application and the target device.

Inventors

  • Benjamin HUSSEY
  • Shashank Buch
  • Gaurav Gulati
  • Pragya Dixit

Assignees

  • Chewy, Inc.

Dates

Publication Date
20260507
Application Date
20251017

Claims (20)

  1. 1 . A method, comprising: receiving, at a UI gateway, a request from an enactment device to mimic an authenticated session between a target device and a web application hosted at a web server, the target device having a target device identifier; receiving, at a company-specific authorization account endpoint, a request from the UI gateway for an enactment authentication token, the request including the target device identifier and a token associated with the enactment device; providing, by the company-specific authorization account endpoint, the enactment authentication token to the UI gateway; receiving via the UI gateway, at a proxy server being at the same internet domain as the web server, a request to access an enactment session with the web application at the enactment device, the request including the enactment authentication token; and creating, at the web server, via the proxy server, the enactment session between the enactment device and the web application, wherein the enactment session between the enactment device and the web application mimics an authenticated session between the web application and the target device.
  2. 2 . The method of claim 1 further comprising: receiving, at the web server, a request from the target device to access an authenticated session of the web application; and creating, by the web server, the authenticated session between the target device and the web application.
  3. 3 . The method of claim 2 , further comprising: detecting, at the UI gateway, a request to release access to the authenticated session of the web application for the target device; enabling, by the UI gateway, at least one function of the authenticated session of the web application for the target device previously disabled by the UI gateway; transmitting a release access request from the UI gateway to the web server; and clearing, by the web server, the enactment session between the enactment device and the web application, wherein clearing the enactment session includes deleting an access token cookie and a session token cookie.
  4. 4 . The method of claim 3 , wherein the request to release access to the instance of the web application intended for the target device is a mouse-out or mouse-over event detected by the UI gateway.
  5. 5 . The method of claim 3 , wherein transmitting a release access request includes, by the UI gateway, transmitting the request to an inline frame embedded in the UI gateway that is on the internet domain of the web application.
  6. 6 . The method of claim 2 further comprising: disabling, by the UI gateway, at least one function of the authenticated session between the target device and the web application.
  7. 7 . The method of claim 6 , wherein the at least one function includes a cart function for the web application.
  8. 8 . The method of claim 1 , wherein the web application includes a plurality of single page applications hosted by the web server at the same internet domain as the proxy server.
  9. 9 . The method of claim 1 , wherein the web server restricts requests for session creation of the web application from servers operating on a different internet domain and wherein the UI gateway is a server that operates on a different internet domain than the web server.
  10. 10 . The method of claim 1 , wherein the enactment authentication token provided to the UI gateway includes one or more of: a unique identifier of the enactment device, a permission identifier, and the target device identifier.
  11. 11 . The method of claim 1 , wherein creating the enactment session includes setting an access token cookie and a session cookie specific to the enactment device.
  12. 12 - 20 . (canceled)
  13. 21 . A system comprising: a UI gateway configured to receive a request from an enactment device to mimic an authenticated session between a target device and a web application hosted at a web server, the target device having a target device identifier; a company-specific authorization account endpoint configured to: receive a request from the UI gateway for an enactment authentication token, the request including the target device identifier and a token associated with the enactment device; and provide the enactment authentication token to the UI gateway; and a proxy server being at the same internet domain as the web server and configured to receive a request to access an enactment session with the web application at the enactment device, the request including the enactment authentication token, wherein the web server is configured to, via the proxy server, create the enactment session between the enactment device and the web application, and wherein the enactment session between the enactment device and the web application mimics an authenticated session between the web application and the target device.
  14. 22 . The system of claim 21 , wherein the web server is further configured to: receive a request from the target device to access an authenticated session of the web application; and create the authenticated session between the target device and the web application.
  15. 23 . The system of claim 22 , wherein the UI gateway is further configured to: detect a request to release access to the authenticated session of the web application for the target device, enable at least one function of the authenticated session of the web application for the target device previously disabled by the UI gateway, and transmit a release access request from the UI gateway to the web server, wherein the web server is further configured to clear the enactment session between the enactment device and the web application, and wherein clearing the enactment session includes deleting an access token cookie and a session token cookie.
  16. 24 . The system of claim 23 , wherein the web server, via a web-shell SPA of the web application, is further configured to detect a mouse-out or mouse-over event and transmit the request to release access to the instance of the web application intended for the target device.
  17. 25 . The system of claim 23 , wherein the UI gateway is configured to transmit the release access request to an inline frame embedded in the UI gateway that is on the internet domain of the web application.
  18. 26 . The system of claim 22 , wherein the web server is further configured to disable at least one function of the authenticated session between the target device and the web application.
  19. 27 . The system of claim 26 , wherein the at least one function includes a cart function for the web application.
  20. 28 . The system of claim 21 , wherein the web application includes a plurality of single page applications hosted by the web server at the same internet domain as the proxy server.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application claims the benefit of U.S. Provisional Ser. No. 63/716,452 filed Nov. 5, 2024 entitled “System and Method for Enacting Authorized Mimicking of Authenticated Sessions in Web-Based Applications”, which is incorporated by reference herein in its entirety. TECHNICAL FIELD The present disclosure generally relates to systems for enacting authorized mimicking of authenticated sessions in web-based applications. SUMMARY In one embodiment there is a method including receiving, at a UI gateway, a request from an enactment device to mimic an authenticated session between a target device and a web application hosted at a web server, the target device having a target device identifier, receiving, at a company-specific authorization account endpoint, a request from the UI gateway for an enactment authentication token, the request including the target device identifier and a token associated with the enactment device, providing, by the company-specific authorization account endpoint, the enactment authentication token to the UI gateway, receiving via the UI gateway, at a proxy server being at the same internet domain as the web server, a request to access an enactment session with the web application at the enactment device, the request including the enactment authentication token, creating, at the web server, via the proxy server, the enactment session between the enactment device and the web application, the enactment session between the enactment device and the web application mimics an authenticated session between the web application and the target device. In some embodiments, the method further includes receiving, at the web server, a request from the target device to access an authenticated session of the web application, and creating, by the web server, the authenticated session between the target device and the web application. In some embodiments the method further includes detecting, at the UI gateway, a request to release access to the authenticated session of the web application for the target device, enabling, by the UI gateway, at least one function of the authenticated session of the web application for the target device previously disabled by the UI gateway, transmitting a release access request from the UI gateway to the web server, and clearing, by the web server, the enactment session between the enactment device and the web application, wherein clearing the enactment session includes deleting an access token cookie and a session token cookie. In some embodiments, the request to release access to the instance of the web application intended for the target device is a mouse-out or mouse-over event detected by the UI gateway. In some embodiments, transmitting a release access request includes, by the UI gateway, transmitting the request to an inline frame embedded in the UI gateway that is on the internet domain of the web application. In some embodiments the method further includes disabling, by the UI gateway, at least one function of the authenticated session between the target device and the web application. In some embodiments, the at least one function includes a cart function for the web application. In some embodiments, the web application includes a plurality of single page applications hosted by the web server at the same internet domain as the proxy server. In some embodiments, the web server restricts requests for session creation of the web application from servers operating on a different internet domain and wherein the UI gateway is a server that operates on a different internet domain than the web server. In some embodiments, the enactment authentication token provided to the UI gateway includes one or more of: a unique identifier of the enactment device, a permission identifier, and the target device identifier. In some embodiments, creating the enactment session includes setting an access token cookie and a session cookie specific to the enactment device. In another embodiment there is a method including receiving, from a UI gateway, a request from an enactment device to mimic an authenticated session between a web application hosted by a web server and a target device, wherein the UI gateway includes an inline frame embedding a web-shell single-page application (SPA) therein, wherein the web-shell SPA is configured to connect the UI gateway to the web server, wherein the UI gateway operates on a different internet domain than the web-shell SPA and the web server and wherein the web server restricts direct access to the web application for the UI gateway, transmitting, from the web server to the inline frame, a respective web page of the web application, displaying at the enactment device in communication with the UI gateway the web application including the inline frame embedding the web-shell single-page application and an inline frame hosting the respective web page of the web application, detecting a user action at the enactme