Electronic device and method for using web application
By isolating cookie data and managing processes in separate access protection areas, the electronic device addresses the challenge of seamless and secure account transitions in web applications, ensuring privacy and security during SSO operations.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- SAMSUNG ELECTRONICS CO LTD
- Filing Date
- 2025-12-19
- Publication Date
- 2026-06-25
AI Technical Summary
Existing electronic devices struggle with seamless transitions between user accounts in web applications, particularly when using single sign-on (SSO) features, leading to potential privacy issues and data exposure due to shared cookie data.
The electronic device implements a method to identify transitions between user accounts while maintaining web application execution, isolating cookie data using security methods and storing it in separate access protection areas, such as sandbox environments, and managing processes like browser, rendering, and network processes to ensure secure account switching.
This approach ensures secure and seamless account transitions, protecting user privacy by isolating cookie data and preventing exposure across accounts, thus enhancing security and user experience in multi-account environments.
Smart Images

Figure KR2025022317_25062026_PF_FP_ABST
Abstract
Description
Electronic device and method using a web application
[0001] The various embodiments disclosed in this document relate to electronic devices and methods using web applications.
[0002] Platforms used in electronic devices such as smart TVs are evolving to support individual accounts for personalized user services. For example, the system is shifting from using a single account on a TV in the past to registering and using multiple accounts.
[0003] Web applications on these electronic devices operate through web browsers, web engines, or web views, and enable the use of multiple web applications through a single login via features such as SSO (single sign-on).
[0004] The information described above may be provided as related art for the purpose of aiding understanding of the present disclosure. No claim or determination is made as to whether any of the foregoing may be applied as prior art related to the present disclosure.
[0005] According to one embodiment of the present disclosure, an electronic device may include a memory comprising at least one storage medium for storing instructions; and at least one processor comprising a processing circuit. The at least one processor may: identify a transition from the first user account to a second user account while the web application is running based on a first user account, and based on identifying the transition from the first user account to the second user account, change cookie data for a web browser used for running the web application from first cookie data associated with the first user account to second cookie data associated with the second user account while maintaining the execution of the web application, and receive user input for running the web application based on the second user account. Maintaining the execution of the web application may include maintaining the execution of at least one process associated with the web application.
[0006] According to one embodiment, the first cookie data may be isolated from the second cookie data using a specified security method.
[0007] According to one embodiment, the first cookie data may be configured to be stored in an access protection area (e.g., a sandbox environment) different from the second cookie data.
[0008] According to one embodiment, the processor may: terminate at least one tab associated with the first user account in the web browser before receiving the user input for executing the web application based on the second user account.
[0009] According to one embodiment, the processor may: in response to receiving the user input for executing the web application based on the second user account, create at least one tab associated with the second user account within the web browser.
[0010] According to one embodiment, the at least one process may include one or more of a browser process for managing the functions of the web browser, a rendering process for rendering data received from a server to display a screen on the web browser, or a network process for communicating with the server.
[0011] According to one embodiment, the first cookie data may include identification information of a first session established for communication between the web browser and the server based on the first user account, and the second cookie data may include identification information of a second session established for communication between the web browser and the server based on the second user account.
[0012] According to one embodiment, the first user account may correspond to a single sign-on (SSO) account connected to a platform account of a user different from the second user account.
[0013] According to one embodiment, the processor can: identify that a specified timeout time has expired while the web application is running based on the second user account, and based on identifying that the timeout time has expired, change cookie data for the web application from the second cookie data to guest cookie data associated with the guest account while maintaining the execution of the web application.
[0014] According to one embodiment, the processor receives user input to execute the web application based on the second user account while the web application is running based on the guest account, and in response to the user input, while maintaining the execution of the web application, changes cookie data for the web application from the guest cookie data to third cookie data associated with the second user account, and the third cookie data may be set to be identical to the second cookie data.
[0015] According to one embodiment of the present disclosure, a method of an electronic device may include: identifying a transition from a first user account to a second user account while a web application is running based on a first user account; changing cookie data for a web browser used for running the web application from first cookie data associated with the first user account to second cookie data associated with the second user account while maintaining the execution of the web application based on identifying the transition from the first user account to the second user account; and receiving user input for running the web application based on the second user account. Maintaining the execution of the web application may include maintaining the execution of at least one process associated with the web application.
[0016] According to one embodiment, the first cookie data may be isolated from the second cookie data using a specified security method.
[0017] According to one embodiment, the first cookie data may be configured to be stored in an access protection area (e.g., a sandbox environment) different from the second cookie data.
[0018] According to one embodiment, the method may include the action of closing at least one tab associated with the first user account in the web browser before receiving the user input for executing the web application based on the second user account.
[0019] According to one embodiment, the method may include: in response to receiving the user input for executing the web application based on the second user account, creating at least one tab associated with the second user account within the web browser.
[0020] According to one embodiment, the at least one process may include one or more of a browser process for managing the functions of the web browser, a rendering process for rendering data received from a server to display a screen on the web browser, or a network process for communicating with the server.
[0021] According to one embodiment, the first cookie data may include identification information of a first session established for communication between the web browser and the server based on the first user account, and the second cookie data may include identification information of a second session established for communication between the web browser and the server based on the second user account.
[0022] According to one embodiment, the first user account may correspond to a single sign-on (SSO) account connected to a platform account of a user different from the second user account.
[0023] According to one embodiment, the method may include: identifying that a specified timeout time has expired while the web application is running based on the second user account; and, based on identifying that the timeout time has expired, changing cookie data for the web application from the second cookie data to guest cookie data associated with the guest account while maintaining the execution of the web application.
[0024] According to one embodiment, the method comprises: receiving user input to execute the web application based on the second user account while the web application is running based on the guest account; and in response to the user input, changing cookie data for the web application from the guest cookie data to third cookie data associated with the second user account while maintaining the execution of the web application, wherein the third cookie data may be set to be identical to the second cookie data.
[0025] However, the problems to be solved in this disclosure are not limited to those mentioned above, and may be determined in various ways without departing from the spirit and scope of this disclosure.
[0026] FIG. 1 is a block diagram of an electronic device in a network environment according to one embodiment of the present disclosure.
[0027] FIG. 2 illustrates a system providing an SSO service according to one embodiment of the present disclosure.
[0028] FIG. 3 illustrates a method of storing cookie data according to one embodiment of the present disclosure.
[0029] FIG. 4 is a diagram illustrating the structure of a web application according to one embodiment of the present disclosure.
[0030] FIG. 5 illustrates the configuration of an electronic device that executes a web application using an SSO function according to one embodiment of the present disclosure.
[0031] FIG. 6 is a flowchart illustrating the operation of an electronic device according to one embodiment of the present disclosure.
[0032] FIG. 7 is a diagram illustrating a procedure for switching user accounts for the use of a web application according to one embodiment of the present disclosure.
[0033] FIG. 8 is a diagram illustrating a procedure for switching user accounts for the use of a web application according to one embodiment of the present disclosure.
[0034] FIG. 9 is a diagram illustrating a procedure for switching user accounts for the use of a web application according to one embodiment of the present disclosure.
[0035] FIG. 10 is a drawing illustrating an account selection screen according to one embodiment of the present disclosure.
[0036] FIGS. 11a and 11b are drawings for explaining the operation of obtaining user input requesting the execution of a web application according to one embodiment of the present disclosure.
[0037] FIG. 12 is a diagram illustrating the operation of reconfiguring a web browser tab according to a user account switch, according to one embodiment of the present disclosure.
[0038] In the following description, the attached drawings are referenced, and specific examples of implementation are illustrated within the drawings. Additionally, other examples may be used and structural modifications may be made without departing from the scope of the various examples.
[0039] The electronic device according to the embodiments disclosed in this document may be of various forms. The electronic device may include, for example, a portable communication device (e.g., a smartphone), a computer device, a portable multimedia device, a portable medical device, a camera, a wearable device, or a consumer electronics device. The electronic device according to the embodiments of this document is not limited to the devices described above.
[0040] The embodiments of this document and the terms used therein are not intended to limit the technical features described in this document to specific embodiments, and should be understood to include various modifications, equivalents, or substitutions of said embodiments. In connection with the description of the drawings, similar reference numerals may be used for similar or related components. The singular form of a noun corresponding to an item may include one or more of said items unless the relevant context clearly indicates otherwise.
[0041] In this document, each of the phrases such as “A or B,” “at least one of A and B,” “at least one of A or B,” “A, B or C,” “at least one of A, B and C,” and “at least one of A, B, or C” may include any one of the items listed together in the corresponding phrase, or all possible combinations thereof. Terms such as “first,” “second,” or “first” or “second” may be used simply to distinguish a component from another component and do not limit the components in any other aspect (e.g., importance or order). Where any (e.g., first) component is referred to as “coupled” or “connected” to another (e.g., second) component, with or without the terms “functionally” or “communicationly,” it means that said component may be connected to said other component directly (e.g., wired), wirelessly, or through a third component.
[0042] The term “module” as used in the various embodiments of this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example. A module may be a component formed integrally, or a minimum unit of said component or a part thereof that performs one or more functions. For example, according to one embodiment, a module may be implemented in the form of an application-specific integrated circuit (ASIC).
[0043] According to one embodiment, each component (e.g., module or program) of the components described above may include a singular or multiple entities, and some of the multiple entities may be separated and placed in other components. According to one embodiment, one or more of the components or operations of the aforementioned components may be omitted, or one or more other components or operations may be added. Generally or additionally, multiple components (e.g., module or program) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each of the components of the multiple components in the same or similar manner as those performed by the corresponding components among the multiple components prior to integration. According to one embodiment, operations performed by the module, program, or other components may be executed sequentially, in parallel, iteratively, or heuristically, or one or more of the operations may be executed in a different order, omitted, or one or more other operations may be added.
[0044] FIG. 1 is a block diagram of an electronic device in a network environment according to one embodiment of the present disclosure.
[0045] Referring to FIG. 1, in a network environment (100), an electronic device (101) may communicate with an electronic device (102) through a first network (198) (e.g., a short-range wireless communication network) or with an electronic device (104) or a server (108) through a second network (199) (e.g., a long-range wireless communication network). According to one embodiment, the electronic device (101) may communicate with the electronic device (104) through a server (108). According to one embodiment, the electronic device (101) may include a processor (120), memory (130), input module (150), sound output module (155), display module (160), audio module (170), sensor module (176), interface (177), connection terminal (178), haptic module (179), camera module (180), power management module (188), battery (189), communication module (190), subscriber identification module (196), or antenna module (197). In one embodiment, at least one of these components (e.g., connection terminal (178)) may be omitted from the electronic device (101), or one or more other components may be added. In one embodiment, some of these components (e.g., sensor module (176), camera module (180), or antenna module (197)) may be integrated into a single component (e.g., display module (160)).
[0046] The processor (120) can control at least one other component (e.g., a hardware or software component) of the electronic device (101) connected to the processor (120) by executing software (e.g., a program (140)), and can perform various data processing or operations. According to one embodiment, as at least part of the data processing or operations, the processor (120) can store commands or data received from other components (e.g., a sensor module (176) or a communication module (190)) in volatile memory (132), process the commands or data stored in volatile memory (132), and store the resulting data in non-volatile memory (134). According to one embodiment, the processor (120) may include a main processor (121) (e.g., a central processing unit or an application processor) or an auxiliary processor (123) that can operate independently or together with it (e.g., a graphics processing unit, a neural processing unit (NPU), an image signal processor, a sensor hub processor, or a communication processor). For example, if the electronic device (101) includes a main processor (121) and an auxiliary processor (123), the auxiliary processor (123) may be configured to use less power than the main processor (121) or to be specialized for a designated function. The auxiliary processor (123) may be implemented separately from the main processor (121) or as part thereof.
[0047] The auxiliary processor (123) may control at least some of the functions or states associated with at least one component of the electronic device (101) (e.g., display module (160), sensor module (176), or communication module (190)) on behalf of the main processor (121) while the main processor (121) is in an inactive (e.g., sleep) state, or together with the main processor (121) while the main processor (121) is in an active (e.g., application execution) state. According to one embodiment, the auxiliary processor (123) (e.g., image signal processor or communication processor) may be implemented as part of another functionally related component (e.g., camera module (180) or communication module (190)). According to one embodiment, the auxiliary processor (123) (e.g., neural network processing unit) may include a hardware structure specialized for processing an artificial intelligence model. The artificial intelligence model may be generated through machine learning. Such learning may be performed, for example, on the electronic device (101) itself where the artificial intelligence is performed, or through a separate server (e.g., server (108)). The learning algorithm may include, for example, supervised learning, unsupervised learning, semi-supervised learning, or reinforcement learning, but is not limited to the examples described above. The artificial intelligence model may include a plurality of artificial neural network layers.An artificial neural network may be a deep neural network (DNN), a convolutional neural network (CNN), a recurrent neural network (RNN), a restricted Boltzmann machine (RBM), a deep belief network (DBN), a bidirectional recurrent deep neural network (BRDNN), a deep Q-network, or a combination of two or more of the above, but is not limited to the examples described above. In addition to the hardware structure, the artificial intelligence model may include a software structure, either additionally or substantially.
[0048] The memory (130) can store various data used by at least one component of the electronic device (101) (e.g., processor (120) or sensor module (176)). The data may include, for example, input data or output data for software (e.g., program (140)) and related commands. The memory (130) may include volatile memory (132) or non-volatile memory (134).
[0049] The program (140) may be stored as software in memory (130) and may include, for example, an operating system (142), middleware (144), or an application (146).
[0050] The input module (150) can receive commands or data to be used for a component of the electronic device (101) (e.g., processor (120)) from outside the electronic device (101) (e.g., user). The input module (150) may include, for example, a microphone, a mouse, a keyboard, a key (e.g., a button), or a digital pen (e.g., a stylus pen).
[0051] The sound output module (155) can output a sound signal to the outside of the electronic device (101). The sound output module (155) may include, for example, a speaker or a receiver. The speaker may be used for general purposes, such as multimedia playback or recording playback. The receiver may be used to receive incoming calls. According to one embodiment, the receiver may be implemented separately from the speaker or as part thereof.
[0052] The display module (160) can visually provide information to an external (e.g., user) of the electronic device (101). The display module (160) may include, for example, a display, a hall area-gram device, or a projector and a control circuit for controlling said device. According to one embodiment, the display module (160) may include a touch sensor configured to detect a touch, or a pressure sensor configured to measure the intensity of the force generated by said touch.
[0053] The audio module (170) can convert sound into an electrical signal or, conversely, convert an electrical signal into sound. According to one embodiment, the audio module (170) can acquire sound through the input module (150) or output sound through the sound output module (155) or an external electronic device (e.g., electronic device (102)) (e.g., speaker or headphones) connected directly or wirelessly to the electronic device (101).
[0054] The sensor module (176) can detect the operating state of the electronic device (101) (e.g., power or temperature) or the external environmental state (e.g., user state) and generate an electrical signal or data value corresponding to the detected state. According to one embodiment, the sensor module (176) may include, for example, a gesture sensor, a gyroscope sensor, a barometric pressure sensor, a magnetic sensor, an accelerometer sensor, a grip sensor, a proximity sensor, a color sensor, an IR (infrared) sensor, a biosensor, a temperature sensor, a humidity sensor, or an illuminance sensor.
[0055] The interface (177) may support one or more specified protocols that can be used for the electronic device (101) to be connected directly or wirelessly to an external electronic device (e.g., electronic device (102)). According to one embodiment, the interface (177) may include, for example, a high definition multimedia interface (HDMI), a universal serial bus (USB) interface, an SD card interface, or an audio interface.
[0056] The connection terminal (178) may include a connector through which the electronic device (101) can be physically connected to an external electronic device (e.g., electronic device (102)). According to one embodiment, the connection terminal (178) may include, for example, an HDMI connector, a USB connector, an SD card connector, or an audio connector (e.g., a headphone connector).
[0057] The haptic module (179) can convert an electrical signal into a mechanical stimulus (e.g., vibration or movement) or an electrical stimulus that can be perceived by the user through tactile or kinesthetic senses. According to one embodiment, the haptic module (179) may include, for example, a motor, a piezoelectric element, or an electric stimulation device.
[0058] The camera module (180) can capture still images and video. According to one embodiment, the camera module (180) may include one or more lenses, image sensors, image signal processors, or flashes.
[0059] The power management module (188) can manage power supplied to the electronic device (101). According to one embodiment, the power management module (188) can be implemented, for example, as at least part of a power management integrated circuit (PMIC).
[0060] The battery (189) can supply power to at least one component of the electronic device (101). According to one embodiment, the battery (189) may include, for example, a non-rechargeable primary battery, a rechargeable secondary battery, or a fuel cell.
[0061] The communication module (190) can support the establishment of a direct (e.g., wired) communication channel or a wireless communication channel between an electronic device (101) and an external electronic device (e.g., electronic device (102), electronic device (104), or server (108)), and the performance of communication through the established communication channel. The communication module (190) may include one or more communication processors that operate independently of the processor (120) (e.g., application processor) and support direct (e.g., wired) communication or wireless communication. According to one embodiment, the communication module (190) may include a wireless communication module (192) (e.g., cellular communication module, short-range wireless communication module, or GNSS (global navigation satellite system) communication module) or a wired communication module (194) (e.g., LAN (local area network) communication module, or power line communication module). The corresponding communication module among these communication modules can communicate with an external electronic device (104) through a first network (198) (e.g., a short-range communication network such as Bluetooth, WiFi (wireless fidelity) direct, or IrDA (infrared data association)) or a second network (199) (e.g., a legacy cellular network, a 5G network, a next-generation communication network, the Internet, or a computer network (e.g., a LAN or WAN)). These various types of communication modules may be integrated into a single component (e.g., a single chip) or implemented as multiple separate components (e.g., multiple chips). The wireless communication module (192) can identify or authenticate the electronic device (101) within a communication network such as the first network (198) or the second network (199) using subscriber information (e.g., International Mobile Subscriber Identifier (IMSI)) stored in the subscriber identification module (196).
[0062] The wireless communication module (192) can support 5G networks and next-generation communication technologies following 4G networks, for example, new radio access technology. NR access technology can support high-speed transmission of high-capacity data (enhanced mobile broadband (eMBB)), minimization of terminal power and connection of multiple terminals (massive machine type communications (mMTC)), or high reliability and low latency (ultra-reliable and low-latency communications (URLLC)). The wireless communication module (192) can support a high-frequency band (e.g., mmWave band) to achieve a high data transmission rate, for example. The wireless communication module (192) can support various technologies for securing performance in the high-frequency band, such as beamforming, massive MIMO (multiple-input and multiple-output), full-dimensional MIMO (FD-MIMO), array antenna, analog beam-forming, or large-scale antenna. The wireless communication module (192) can support various requirements specified in the electronic device (101), external electronic device (e.g., electronic device (104)), or network system (e.g., second network (199)). According to one embodiment, the wireless communication module (192) may support a Peak data rate (e.g., 20 Gbps or more) for eMBB realization, loss coverage (e.g., 164 dB or less) for mMTC realization, or U-plane latency (e.g., downlink (DL) and uplink (UL) each 0.5 ms or less, or round trip 1 ms or less) for URLLC realization.
[0063] An antenna module (197) can transmit a signal or power to or from an external source (e.g., an external electronic device). According to one embodiment, the antenna module (197) may include an antenna comprising a radiator made of a conductor or a conductive pattern formed on a substrate (e.g., a PCB). According to one embodiment, the antenna module (197) may include a plurality of antennas (e.g., an array antenna). In this case, at least one antenna suitable for a communication method used in a communication network, such as a first network (198) or a second network (199), may be selected from the plurality of antennas, for example, by a communication module (190). A signal or power may be transmitted or received between the communication module (190) and an external electronic device through the selected at least one antenna. According to one embodiment, in addition to the radiator, other components (e.g., a radio frequency integrated circuit (RFIC)) may be additionally formed as part of the antenna module (197).
[0064] According to one embodiment, the antenna module (197) may form a mmWave antenna module. According to one embodiment, the mmWave antenna module may include a printed circuit board, an RFIC disposed on or adjacent to a first surface (e.g., bottom surface) of the printed circuit board and capable of supporting a specified high frequency band (e.g., mmWave band), and a plurality of antennas (e.g., array antennas) disposed on or adjacent to a second surface (e.g., top surface or side surface) of the printed circuit board and capable of transmitting or receiving a signal of the specified high frequency band.
[0065] At least some of the above components can be connected to each other via a communication method between peripheral devices (e.g., bus, GPIO (general purpose input and output), SPI (serial peripheral interface), or MIPI (mobile industry processor interface)) and exchange signals (e.g., commands or data) with each other.
[0066] According to one embodiment, commands or data may be transmitted or received between an electronic device (101) and an external electronic device (104) through a server (108) connected to a second network (199). Each of the external electronic devices (102, or 104) may be the same or a different type of device as the electronic device (101). According to one embodiment, all or part of the operations performed on the electronic device (101) may be performed on one or more of the external electronic devices (102, 104, or 108). For example, if the electronic device (101) needs to perform a function or service automatically or in response to a request from a user or another device, the electronic device (101) may request one or more external electronic devices to perform at least part of the function or service instead of performing the function or service itself or additionally. One or more external electronic devices that receive the above request may execute at least part of the requested function or service, or additional function or service related to the request, and transmit the result of the execution to the electronic device (101). The electronic device (101) may provide the result as is or additionally processed as at least part of the response to the request. For this purpose, for example, cloud computing, distributed computing, mobile edge computing (MEC), or client-server computing technology may be used. The electronic device (101) may provide ultra-low latency services using, for example, distributed computing or mobile edge computing. In one embodiment, the external electronic device (104) may include an Internet of Things (IoT) device. The server (108) may be an intelligent server using machine learning and / or neural networks. According to one embodiment, the external electronic device (104) or the server (108) may be included within a second network (199).The electronic device (101) can be applied to intelligent services (e.g., smart home, smart city, smart car, or healthcare) based on 5G communication technology and IoT-related technology.
[0067] According to one embodiment of the present disclosure, an electronic device (e.g., the electronic device (101) of FIG. 1) may provide an integrated account service that allows a plurality of services (or applications) to be used with a single user account. The integrated account service may be provided using an authentication technology (e.g., single sign-on (SSO) technology) that supports access to a plurality of applications or systems with a single user authentication. For convenience of explanation, the use of SSO technology as the authentication technology for the integrated account service is exemplified below, but the embodiments are not limited thereto, and various types of authentication technologies may be applied to the embodiments of the present disclosure.
[0068] FIG. 2 illustrates a system providing an SSO service according to one embodiment of the present disclosure.
[0069] Referring to FIG. 2, a system providing SSO services (hereinafter, SSO system) (200) may include a user's electronic device (hereinafter, user device) (101), an authentication server (210), a first service provider server (221), a second service provider server (222), and / or a browser cookie storage (230). According to one embodiment, the SSO system (200) may be a system that utilizes cookie-based SSO technology.
[0070] According to one embodiment, a user device (101) can access at least one server through a browser (e.g., the web browser (410) of FIG. 4). For example, the user device (101) can access an authentication server (210) for user authentication through a web browser. For example, the user device (101) can access a service provider server (221, 222) for the use of a web application through a web browser. In the embodiment of FIG. 2, the operation of the user device (101) can be understood as the operation of a web browser included in the user device (101). Such a web browser can perform the role of a client in a client-server model.
[0071] According to one embodiment, the authentication server (210) may be a central server that processes user authentication and manages authentication information. For example, the authentication server (210) may be a server provided by an identity provider (e.g., Microsoft Azure AD).
[0072] According to one embodiment, the service provider server (221, 222) may be a server that provides individual applications (e.g., Microsoft 365) or services that a user can access. For example, the first service provider server (221) may be a server that provides at least one first application (e.g., a first web application), and the second service provider server (222) may be a server that provides at least one second application (e.g., a second web application). According to one embodiment, the first application may be an application different from the second application. In an SSO system, the first application and the second application may be accessed and used through a single user authentication.
[0073] According to one embodiment, the SSO technology may use a standardized protocol to exchange security authentication information. The standardized protocol may include, but is not limited to, SAML, OAuth, and / or OpenID Connect protocols.
[0074] According to one embodiment, in operation o1, a user device (101) may connect to a first service provider server (221). For example, the user device (101) may transmit a first request to the first service provider server (221) for the execution (or connection) of a first application (e.g., a web application) provided by the first service provider server (221) via a web browser. The first request may be transmitted, for example, based on a domain address corresponding to the first application being entered into the web browser, but is not limited thereto.
[0075] According to one embodiment, in operation o2, the first service provider server (221) may send a first response to the user device (101) for redirection to the authentication server (210) in response to a first request received from the user device (101). The user device (101) may send a second request corresponding to the first request to the authentication server (210) in response to the first response.
[0076] According to one embodiment, in operation o3, the authentication server (210) may perform user authentication in response to the second request. For example, the authentication server (210) may perform user authentication by checking whether the user is logged in. The authentication server (210) may check whether the user is logged in successfully based on user authentication information (e.g., user ID, password) entered through the login screen, for example.
[0077] According to one embodiment, in operation o4, if user authentication is successful (e.g., when the user is logged in normally), the authentication server (210) may create an authentication session and / or an authentication session cookie, store information about the created authentication session in a storage of the authentication server (210), and store information about the created cookie in a browser cookie storage (230). The browser cookie storage (230) may be included in the user device (101) (or the web browser of the user device (101)). The authentication session may include information about, for example, user authentication status, connection IP, client information, and / or session expiration time. The authentication session cookie may include information about, for example, an authentication session ID, token, user authentication status, authentication session cookie expiration time, and / or security attributes. The authentication session cookie thus stored may be automatically included in a request (e.g., an HTTP request) connected to the domain of the authentication server (210) generated by the user device (101).
[0078] According to one embodiment, in operation o5, the authentication server (210) may transmit a token to the first service provider server (221). In operation o6, the first service provider server (221) may, in response to receiving the token, perform authentication using the received token to create a session between the user device (101) and the first service provider server (221) (hereinafter, the first session) (e.g., the first session between the web browser of the user device (101) and the first web application of the first service provider server (221)) and a session cookie for the first session (hereinafter, the first session cookie). In operation o7, the first service provider server (221) may store information about the first session in the storage of the first service provider server (221) and store information about the first session cookie in the browser cookie storage (230). The first session may include, for example, information about the user authentication status, the connection IP, client information, and / or the first session expiration time. The first session cookie may include information, for example, a first session ID, user authentication status, a first cookie expiration time, and / or security attributes. The first session cookie may be valid only within the domain of the first service provider server (221). The first session cookie may be automatically included in requests (e.g., HTTP requests) connected to the domain of the first service provider server (221) generated by the user device (101). Through this, the first session cookie may enable the user device (101) to continue performing operations through the first web application of the first service provider server (221). Subsequently, the user device (101) may connect to the first service provider server (221) and other service provider servers.
[0079] According to one embodiment, in operation o8, a user device (101) may connect to a second service provider server (222). For example, the user device (101) may transmit a third request to the second service provider server (222) via a web browser for the execution (or connection) of a second application (e.g., a web application) provided by the second service provider server (222). The third request may be transmitted, for example, based on a domain address corresponding to the second application being entered into the web browser, but is not limited thereto.
[0080] According to one embodiment, in operation o9, the second service provider server (222) may send a second response to the user device (101) for redirection to the authentication server (210) in response to a third request received from the user device (101). The user device (101) may send a fourth request corresponding to the third request to the authentication server (210) in response to the second response.
[0081] According to one embodiment, in operation o10, the authentication server (210) may perform user authentication in response to the fourth request. For example, the authentication server (210) may perform user authentication by checking whether an authentication session cookie is available.
[0082] According to one embodiment, in operation o11, the authentication server (210) may transmit a token to the second service provider server (222) when user authentication is successful (e.g., when an authentication session cookie is available). Since the authentication session cookie is already created and available through the above-described o3, the authentication server (210) may transmit the token contained in the authentication session cookie to the second service provider server (222) without performing an operation to store the authentication session cookie. In operation o12, the second service provider server (222) may, in response to receiving the token, perform authentication using the received token to create a session between the user device (101) and the second service provider server (222) (hereinafter, the second session) (e.g., the second session between the web browser of the user device (101) and the second web application of the second service provider server (222)) and a session cookie for the second session (hereinafter, the second session cookie). In operation o13, the second service provider server (222) may store information about the second session in the storage of the second service provider server (222) and store information about the second session cookie in the browser cookie storage (230). The second session may include, for example, information about the user authentication status, connection IP, client information, and / or the first session expiration time. The second session cookie may include, for example, information about the second session ID, user authentication status, second cookie expiration time, and / or security attributes. The second session cookie may be valid only in the domain of the second service provider server (222). The second session cookie may be automatically included in a request (e.g., HTTP request) connected to the domain of the first service provider server (221) generated by the user device (101). Through this, the second session cookie may support the user device (101) to continue performing operations through the second web application of the second service provider server (222).
[0083] As described above, in the SSO system (200), the user device (101) can use applications provided by multiple service provider servers (221, 222) without performing a login procedure through a single user authentication by the authentication server (210).
[0084] In the embodiment of FIG. 2 described above, for convenience of explanation, it is described as an example in which a user device (101) can use applications (or services) provided by two service provider servers (221, 222) through a single user authentication, but is not limited thereto. For example, applications (or services) provided by three or more service provider servers may be used through a single user authentication.
[0085] In the embodiment of FIG. 2 described above, for convenience of explanation, it is described as an example in which a user device (101) connects to an authentication server (210) through a service provider server (221) to perform user authentication, but is not limited thereto. For example, the user device (101) may connect to the authentication server (210) and perform user authentication through a separate login procedure for SSO services (e.g., a login procedure through the login item (1020) of the account selection screen (1000) of FIG. 10) without going through the service provider server (221).
[0086] FIG. 3 illustrates a method of storing cookie data according to one embodiment of the present disclosure.
[0087] Referring to FIG. 3, a cookie data storage (300) (e.g., memory (130) of FIG. 1 or browser cookie storage (230) of FIG. 2) may store at least one cookie data (310, 320). For example, the cookie data storage (300) may store cookie data associated with a first user account (hereinafter referred to as first account cookie data) and cookie data associated with a second user account different from the first user account (hereinafter referred to as second account cookie data). According to one embodiment, the first user account and the second user account may be user accounts for SSO services provided by an SSO system (hereinafter referred to as SSO accounts). For example, the first user account and the second user account may be SSO accounts connected to a platform (OS) (e.g., Samsung’s Tizen). In the present disclosure, account cookie data, first account cookie data, and second account cookie data may be abbreviated as cookie data, first cookie data, and second cookie data, respectively.
[0088] According to one embodiment, the first user account and the second user account may each be user accounts for different users. For example, the first user account may be a user account for a first user, and the second user account may be a user account for a second user different from the first user. According to one embodiment, the first user account and the second user account may be separate user accounts for the same user. For example, one user may create multiple user accounts, and in this case, the first user account and the second user account may be separate user accounts for the same user.
[0089] According to one embodiment, cookie data (310, 320) may include, for example, an authentication session cookie for an associated user account (e.g., an authentication session cookie generated by the authentication server (210) of FIG. 2) and / or at least one session cookie (e.g., a first session cookie generated by the first service provider server (221) of FIG. 2 and / or a second session cookie generated by the second service provider server (222) of FIG. 2). For example, the first account cookie data (310) may include an authentication session cookie for a first user account, a first session cookie and / or a second session cookie. For example, the second account cookie data (320) may include an authentication session cookie for a second user account, a first session cookie and / or a second session cookie.
[0090] According to one embodiment, each cookie data stored in the cookie data storage (300) may be isolated from one another. For example, cookie data (310, 320) set per SSO account may be stored separately in access protected areas (311, 321) using a specified security mechanism. The security mechanism for isolating cookie data may include, for example, a sandbox, a trusted execution environment (TEE), and application isolation, but is not limited thereto. The access protected area may be, for example, an isolated container, a sandbox environment, a protected area, a restricted access zone, an isolated execution environment, or a secure execution zone.
[0091] According to one embodiment, access protection zones (311, 321) may be configured per user. For example, each cookie data (310, 320) may be stored and managed in an access protection zone (311, 321) configured per user. For example, if a sandbox mechanism is used as a security mechanism, the first cookie data (310) may be stored in a sandbox environment different from the second cookie data (320). The sandbox environment may be, for example, a protected area where a running application or process is isolated from other system resources and protected from external influences.
[0092] Through isolated storage according to the method described above, the execution environment associated with each cookie data is isolated to a limited area, ensuring that running code or applications do not affect other parts of the system. This allows for the protection of user privacy, for instance, by preventing the exposure of cookie data from other user accounts even if cookie data from one user account is stolen. Such isolated storage of account-specific cookie data may be necessary to protect user privacy in web-based platform environments, for instance, where it is difficult to provide completely separate virtual platform (OS) environments for each account.
[0093] According to one embodiment, cookie data (310, 320) may be included in access protection areas (311, 312) together with setting information. For example, first account cookie data (310) may be stored in the first access protection area (311) together with setting information associated with the first user account, and second account cookie data (320) may be stored in the second access protection area (312), which is isolated from the first access protection area (311), together with setting information associated with the second user account. The setting information may include, for example, personalized data and / or settings associated with the user account. For example, the setting information may include information such as bookmarks, settings, favorites, and usage history associated with the user account.
[0094] FIG. 4 is a diagram illustrating the structure of a web application according to one embodiment of the present disclosure.
[0095] Referring to FIG. 4, the web application (400) may have three layers including a client layer, a server layer, and a data layer. The web application (400) may be, for example, a first application provided by a first service provider server (221) and / or a second application provided by a second service provider server (222).
[0096] According to one embodiment, the client layer may provide a user interface to provide a function for interacting with the user. The client layer may use frontend technologies such as HTML, CSS, and JavaScript. The client layer may include, but is not limited to, a web browser (410) included in an electronic device (e.g., the electronic device (101) of FIG. 1 and 2). For example, the client layer may include a web engine, a single web view, or a dedicated application having multiple web views.
[0097] According to one embodiment, the server layer can perform the function of processing business logic and forwarding client requests to the data layer. The server layer can act as an intermediary between the client and the data layer. The server layer can use technologies such as Java, Python, PHP, and Node.js. The server layer may include at least one web server (420) and / or at least one web application server (430).
[0098] According to one embodiment, the data layer can perform the function of storing and managing data. The data layer can use technologies such as MySQL, PostgreSQL, and MongoDB. The data layer may include a database (440).
[0099] According to one embodiment, in operation 401, the web browser (410) may generate a request message (e.g., HTTP request message) corresponding to user input for a specific task (e.g., login, application execution) and transmit the generated request message to a web server (420). User input may be, for example, URL input through the address bar of the web browser (410), input selecting a hyperlink (e.g., button input), and / or data input, but is not limited thereto. The request message may include, for example, an HTTP method (e.g., GET, POST, PUT), a request target (e.g., URL), and / or request headers (e.g., cookies), but is not limited thereto. The cookies included in the request headers may be, for example, cookies included in the first account cookie data (310) or the second account cookie data (320) of FIG. 3 (e.g., authentication session cookie, first session cookie (e.g., first session ID), or second session cookie (e.g., second session ID)). Cookies included in the request header can be obtained, for example, through a procedure via the SSO system (200) of FIG. 2. Through the transmission of such cookies, user authentication can be performed by a web application server (430) or an authentication server (e.g., the authentication server (210) of FIG. 2).
[0100] According to one embodiment, the web server (420) may respond to the reception of a request message by analyzing the request corresponding to the request message and the cookie included in the request message, and perform an action based on the analysis result. For example, if the request is a static request, the web server (420) may generate static content (e.g., HTML, CSS, JS files) and, through action 406, send a response message (e.g., HTTP response message) containing the static content to the web browser (410). For example, if the request is a dynamic request, the web server (420) may forward the request to the web application server (430) through action 402.
[0101] According to one embodiment, a web application server (430) (e.g., the first service provider server (221) or the second service provider server (222) of FIG. 2) may request an authentication server (e.g., the authentication server (210) of FIG. 2) to authenticate (or verify) the cookie included in the request in response to the receipt of the request. The authentication server may perform authentication of the cookie based on the request of the web application server (430), and if the authentication is successfully performed, may send a response (e.g., a response including user ID and / or authorization information) to the web application server (430) stating that the cookie (or the session associated with the cookie) is valid. The user ID and / or authorization included in the response may be used by the web application server (430) to retrieve data from the database (440).
[0102] According to one embodiment, the web application server (430) may, in response to receiving a response that the cookie (or session associated with the cookie) is valid, process a request received from the web browser (410) according to business logic and retrieve or update necessary data from the database (440). The database (440) may process the request from the web application server (430) via operation 403 and return data via operation 404. In operations 405 and 406, the web application server (430) may generate dynamic content (e.g., a JSON file) based on the result of processing and send a response message (e.g., an HTTP response message) containing the dynamic content to the web browser (410) via the web server (420). The web browser (410) may, in response to receiving the response message, render and display the data included in the response message (e.g., HTML, CSS, JS, or JSON data) on the screen.
[0103] FIG. 5 illustrates the configuration of an electronic device that executes a web application using an SSO function according to one embodiment of the present disclosure.
[0104] Referring to FIG. 5, according to one embodiment, an electronic device (500) (e.g., the electronic device (101) of FIG. 1) may include an SSO module (510), a web application module (520), an SSO change management module (530), first account cookie data (541) and / or second account cookie data (542). According to one embodiment, the SSO change management module (530) may be included in the SSO module (510) or the web application module (520).
[0105] According to one embodiment, the electronic device (500) may operate in a platform (OS) environment. The platform environment may be, for example, a web-based platform environment. Such a web-based platform environment may make it difficult to provide completely separate virtual platform environments for each account (e.g., SSO account).
[0106] According to one embodiment, the SSO module (510) may be a client-side configuration that provides an SSO function of an SSO system (e.g., the SSO system (200) of FIG. 2). For example, the SSO module (510) may be a configuration within the electronic device (500) that supports a function that enables the electronic device (500) to use multiple web applications (e.g., the first application and the second application of FIG. 2) through a single authentication via an SSO authentication procedure supported, for example, in the SSO system (200) of FIG. 2 (e.g., an authentication procedure via operations o1 to o13 of FIG. 2).
[0107] According to one embodiment, the web application module (520) may be a client-side configuration of a web application (e.g., the web application (400) of FIG. 4). For example, the web application module (520) may include a web browser (e.g., the web browser (510) of FIG. 4) for running the web application, a single web view, or a plurality of web views.
[0108] According to one embodiment, a web application module (520) may be associated with at least one process (e.g., a single process or a group of processes). Here, the process may be an instance of a running web application. The process may be an execution unit that performs, for example, a task (e.g., execution or use of a web application). Here, the task may be a unit of a job (or function) that can be executed in a computing system and may consist of a series of instructions that a processor must process to perform a specific purpose. According to one embodiment, at least one process may include, for example, a browser process for managing the functions of a web browser, a rendering process for rendering data received from a web server (420) and / or a web application server (430) to display a screen in a web browser, or a network process for communicating with the web server (420) and / or the web application server (430).
[0109] According to one embodiment, the SSO change management module (530) may be a module that performs processing related to SSO account changes. For example, the SSO change management module (530) may detect a change in an SSO account at the platform level and perform SSO account change processing based on this. SSO account change processing may be executed in the background.
[0110] According to one embodiment, the SSO change management module (530) can identify that the account is changed to a second account (e.g., a second user's SSO account) while the web application is running through a first account (e.g., a first user's SSO account) and perform processing related to the SSO account change. According to one embodiment, the web application being running may include, for example, a state in which the execution of the web application has started and is not yet terminated. For example, the web application being running may include that at least one process associated with the web application (e.g., a browser process) is in an executable state (e.g., a runnable state) or a running state (e.g., a running state). Processing related to changing an SSO account may include, for example, an operation of switching (or replacing) the cookie data of a first account (hereinafter, first account cookie data) (541) (e.g., first account cookie data (310) of FIG. 3) to the cookie data of a second account (hereinafter, second account cookie data) (542) (e.g., second account cookie data (320) of FIG. 3) while maintaining the execution of a currently running web application. According to one embodiment, maintaining the execution of a web application may include maintaining the execution of at least one process (e.g., a browser process) associated with the web application. In this case, the web application for the changed SSO account may be used without terminating and restarting the web application (or the web browser for running the web application). Through this, overhead caused by terminating and restarting the web application may be reduced, thereby improving usability and performance and saving power. According to one embodiment, the first account cookie data (541) and the second account cookie data (542) can be stored separately from each other.In this case, as account cookie data is switched while the web application remains running, it may be difficult to access other account cookie data even if one account cookie data is exposed. Through this, user privacy can be protected.
[0111] According to one embodiment, the SSO change management module (530) can identify that a specified timeout has expired while the web application is running through the first account (e.g., the first user's SSO account) and perform processing related to the SSO account change. Processing related to the SSO account change may include, for example, an operation to switch (or replace) the first account cookie data (541) to the guest account cookie data (hereinafter, guest cookie data) while maintaining the execution of the currently running web application.
[0112] According to one embodiment, account cookie data (541, 542) may be connected (or applied) to an SSO module (510), a web application module (520), and / or an SSO change management module (530). For example, first account cookie data (541) may be connected to an SSO module (510), a web application module (520), and an SSO change management module (530) for the execution of a first user's web application. Such first account cookie data (541) may be connected to each module (510, 520, 530) through a first cookie path (501). For example, second account cookie data (542) may be connected to an SSO module (510), a web application module (520), and an SSO change management module (530) for the execution of a second user's web application. These second account cookie data (542) can be connected to each module (510, 520, 530) through the second cookie path (502).
[0113] According to one embodiment, the electronic device (500) may execute at least one process associated with a web application module (520) based on receiving a user input requesting the execution of a web application. For example, the web application module (520) may execute a browser process for processing a web browser in response to the execution of a web browser for executing a web application, and execute a tab process for creating a tab corresponding to the web application within the browser in response to receiving a URL input or a link input for accessing the web application through the web browser. For example, the web application module (520) may execute a network process for transmitting a request message corresponding to the user input to a web server (420) and / or a web application server (430), and execute a rendering process for rendering a screen based on a response message received from the server.
[0114] According to one embodiment, account cookie data (541, 542) may be connected (or applied) to a web application module (520) based on the initiation of execution of a web application. For example, account cookie data (541, 542) may be connected to the web application module (520) after at least one process associated with the web application (e.g., a browser process and / or a tab process) has been executed. When account cookie data (541, 542) is connected to the web application module (520), the web application module (520) may include the cookies contained in the account cookie data (541, 542) in a request message (e.g., an HTTP request message) transmitted to a server. Through this, user authentication may be performed on the server.
[0115] FIG. 6 is a flowchart illustrating the operation of an electronic device according to one embodiment of the present disclosure.
[0116] Referring to FIG. 6, in operation 610, an electronic device (e.g., the electronic device (101) of FIG. 1 or the electronic device (500) of FIG. 5) can identify a transition from a first user account to a second user account while a web application (e.g., the web application of FIG. 4) is running based on a first user account (e.g., an SSO account). Operation 610 can be performed by an SSO module (e.g., the SSO module (510) of FIG. 5). The transition of user accounts can be performed, for example, through an account transition screen (1000) of FIG. 10.
[0117] According to one embodiment, the fact that a web application is running based on a first user account may include, for example, that the web application is running while logged in with the first user account. According to one embodiment, the fact that a web application is running may include, for example, that the execution of the web application has started and is in a state before termination. For example, the fact that a web application is running may include that at least one process associated with the web application (e.g., a browser process) is in an executable state (e.g., a runnable state) or a running state (e.g., a running state). According to one embodiment, at least one process may include, for example, a browser process for managing the functions of a web browser, a rendering process for rendering data received from a server (e.g., a web server (420) and / or a web application server (430) of FIG. 4) to display a screen on the web browser, or a network process for communicating with the server.
[0118] In operation 620, the electronic device may, based on identifying a transition from a first user account to a second user account, change cookie data for a web browser used for running the web application (e.g., the web browser of FIG. 4) from first cookie data associated with the first user account (e.g., first account cookie data (310) of FIG. 3) to second cookie data associated with the second user account (e.g., second account cookie data (320) of FIG. 3) while maintaining the execution of the web application. Through this replacement of cookie data, the session may be replaced. Operation 620 may be performed, for example, by a web application module (e.g., the web application module (520) of FIG. 5) or an SSO change management module (e.g., the SSO change management module (530) of FIG. 5). According to one embodiment, maintaining the execution of the web application may include maintaining the web application in an executable or executable state without terminating it. For example, maintaining the execution of a web application may include keeping at least one process associated with the web application (e.g., a browser process) running or runnable. Through operation 620, the web application may be used for a changed user account without terminating and restarting the web application (or the process(s) associated with the web application). In this case, the overhead caused by terminating and restarting the web application may be reduced, thereby improving usability and performance and saving power.
[0119] In operation 630, the electronic device may receive user input for executing a web application based on a second user account (e.g., a request to execute a web application in operation 813 of FIG. 8). Operation 630 may be performed by a web application module (e.g., a web application module (520) of FIG. 5). According to one embodiment, executing a web application based on a second user account may include, for example, executing the web application while logged in with the second user account. According to one embodiment, the first user account may correspond to an SSO account connected to a platform account of a user different from the second user account.
[0120] According to one embodiment, the first cookie data may be isolated from the second cookie data using a specified security method. For example, the first cookie data may be configured to be stored in an access protection area (e.g., a sandbox environment) different from the second cookie data. When user-specific cookie data are isolated from each other in this way, access to other account cookie data may be difficult even if one account cookie data is exposed due to the switching of account cookie data while maintaining the execution of the web application. Through this, the user's privacy can be protected. The first cookie data may include identification information of a first session established for communication between a web browser and a server based on a first user account. The second cookie data may include identification information of a second session established for communication between a web browser and a server based on a second user account.
[0121] According to one embodiment, the electronic device may terminate at least one tab associated with a first user account within a web browser (e.g., at least one first tab (1230a) in FIG. 12) before receiving user input to execute a web application based on a second user account. According to one embodiment, the electronic device may reset a web context associated with a first user account within a web browser in the background before receiving user input to execute a web application based on a second user account. A web context may refer to a logical boundary or container established to manage the interaction between client requests and server resources in the execution environment of a web application. A web context may define and manage attributes such as the default path, settings, resources, and session information in which the web application operates. According to one embodiment, the electronic device may create at least one tab associated with a second user account within a web browser (e.g., at least one second tab (1240b) in FIG. 12) in response to receiving user input to execute a web application based on a second user account. The termination and / or creation of tabs can be performed in the background (e.g., by a background process). According to one embodiment, at least one newly created tab may have the user's personalized data and / or settings (e.g., bookmarks, usage history, favorites, web browser settings, web application settings) associated with a second user account applied to it. In this way, by terminating only the tab(s) associated with the existing user account and creating the tab(s) associated with the new user account in the background without terminating and restarting the process associated with the web application (e.g., browser process), rapid switching of user accounts can be enabled while protecting the user's privacy.
[0122] According to one embodiment, an electronic device can identify that a specified timeout period (e.g., 1 hour) has expired while a web application is running based on a second user account. Based on identifying that the timeout period has expired, the electronic device can change the cookie data for the web application from the second cookie data to guest cookie data associated with the guest account while maintaining the execution of the web application. According to one embodiment, while the web application is running based on the guest account, the electronic device receives user input to run the web application based on the second user account, and in response to the user input, can change the cookie data for the web application (or web browser) from guest cookie data to third cookie data associated with the second user account while maintaining the execution of the web application. The third cookie data can be set to be identical to the second cookie data. In this way, when the application is restarted after changing to guest cookie data upon a timeout, a faster switching of user accounts may be possible compared to restarting the web application (or the process of the web application) after it has been completely terminated. An explanation of the operation based on timeouts and guest accounts is described exemplarily below with reference to Fig. 9.
[0123] FIG. 7 is a diagram illustrating a procedure for switching user accounts for the use of a web application according to one embodiment of the present disclosure.
[0124] The embodiment of FIG. 7 may be an example of the operation of the electronic device of FIG. 6 (e.g., the electronic device (101) of FIG. 1 or the electronic device (500) of FIG. 5). In the embodiment of FIG. 7, it is assumed that the first account cookie data (541) and the second account cookie data (542) are not stored separately from each other.
[0125] Referring to FIG. 7, in operation 701, the SSO module (510) receives user input for the first user's login and can perform a login operation based on the user input. According to one embodiment, the SSO module (510) can perform a login operation in cooperation with an authentication server (e.g., the authentication server (210) of FIG. 2). The login operation may include, for example, an operation of displaying a login screen through a web browser (e.g., the web browser (410) of FIG. 4), an operation of transmitting information about the SSO account obtained through the login screen to the authentication server, and / or an operation of displaying a login result screen using login result information (e.g., login success or failure) based on the SSO account received from the authentication server. Below, subsequent operations are described based on the fact that the login for the first user has been successful. When the login is successfully performed, the web application module (520) (e.g., the web browser (410) of FIG. 4) can obtain (or receive) an authentication session cookie from the authentication server.
[0126] In operation 703, the web application module (520) receives user input requesting the execution of a web application and can perform a web application execution operation based on the user input. According to one embodiment, the web application module (520) can perform the web application execution operation in cooperation with a web server (e.g., web server (420) of FIG. 4), a web application server (e.g., web application server (430) of FIG. 4), and / or a database (e.g., database (440) of FIG. 4). The web application execution operation may include, for example, at least one of operations 401 to 406 of FIG. 4. For example, the web application execution operation may include an operation of executing at least one process (e.g., a browser process) for executing the web application.
[0127] In operation 705, the web application module (520) may obtain cookie data (hereinafter, first account cookie data (541)) associated with a first user account (hereinafter, first account) based on the execution of the web application. For example, after the web application is executed, the web application module (520) may receive (or obtain) the first account cookie data (541), including a first session cookie, from a service provider server (e.g., the first service provider server (221) or the second service provider server (222) of FIG. 2) that provides the web application through an authentication server. The web application module (520) may perform communication with a web server and / or a web application server using the first account cookie data.
[0128] In operation 707, the SSO module (510) receives user input for the login of a second user while the web application is running and can perform a login operation based on the user input. For a description of the login operation for the second user in operation 705, refer to the description of the login operation for the first user in operation 701. Below, subsequent operations are described based on the fact that the login for the second user was successful.
[0129] In operation 709, the SSO module (510) may send a command to the web application module (520) requesting a log-out for the first user's account (first account) based on identifying that the login for the second user has been successful. The web application module (520) may perform a log-out operation for the first account. Subsequent operations are described below based on the fact that the log-out for the first account has been successful. As described above, in a web-based platform environment where it is difficult to provide a completely separate virtual platform environment for each SSO account, if the execution of the web application running under the first account is not terminated even though the log-out for the first account has been successful, personalized information such as the history of the first user of the first account using the web application may remain. Through this, the user's privacy may be violated. Therefore, it is necessary for the web application to be completely terminated through a separate web application termination operation based on user input.
[0130] In operation 711, the web application module (520) receives user input requesting the termination of the web application while the web application is running after the first account has been logged out, and can perform a web application termination operation based on the user input. The web application termination operation may include, for example, an operation to log out all web applications associated with the SSO account, an operation to terminate the web application, and / or an operation to terminate the web browser. The operation to terminate the web application may include, for example, an operation to terminate all processes associated with the web application. Through such termination operations, the web application and / or web browser may be terminated. When the web application and / or web browser are terminated, personalized information, such as the history of the first user of the first account using the web application, may be completely deleted.
[0131] In operation 713, the web application module (530) receives user input requesting the execution of a web application for a second user account (second account) and can perform a web application execution operation based on the user input. For a description of the web application execution operation for the second account in operation 713, refer to the description of the web application execution operation for the first account in operation 703.
[0132] In operation 715, the web application module (520) may obtain cookie data associated with a second account (hereinafter, second account cookie data (542)) based on the execution of the web application. For example, after the web application is executed, the web application module (520) may receive (or obtain) the second account cookie data (542) including a second session cookie from a service provider server (e.g., the first service provider server (221) or the second service provider server (222) of FIG. 2) that provides the web application through an authentication server, and replace the first account cookie data (541) with the second account cookie data (542). The web application module (520) may perform communication with the web server and / or the web application server using the second account cookie data.
[0133] In the embodiment of FIG. 7 described above, even if an SSO account is switched, there is no method to replace the cookie data for the SSO account during the execution of the web application, so the web application cannot be executed (or used) immediately for the switched SSO account. Therefore, in order to execute the web application for the switched SSO account, the execution of the web application for the existing SSO account must be terminated based on user input, and the web application must be re-executed. As a result, personalized information, such as user history information for the existing SSO account, remains during the period from the switch of the SSO account until the web application currently running is terminated. This results in an infringement of user privacy. Furthermore, overhead may occur as the initialization procedure is performed again due to the re-execution of the web application. This degrades the usability and performance of the web application.
[0134] Hereinafter, with reference to FIG. 8, an embodiment for improving the usability and performance of a web application and protecting the privacy of a user by using mutually isolated account cookie data and replacing account cookie data based on SSO account switching during the execution of the web application will be described.
[0135] FIG. 8 is a diagram illustrating a procedure for switching user accounts for the use of a web application according to one embodiment of the present disclosure.
[0136] The embodiment of FIG. 8 may be an example of the operation of the electronic device of FIG. 6 (e.g., the electronic device (101) of FIG. 1 or the electronic device (500) of FIG. 5). Unlike the embodiment of FIG. 7, in the embodiment of FIG. 8, it is assumed that the first account cookie data (541) (e.g., the first account cookie data (310) of FIG. 3) and the second account cookie data (542) (e.g., the second account cookie data (320) of FIG. 3) are stored isolated from each other. For example, the first account cookie data (541) and the second account cookie data (542) may each be stored isolated from each other using a security mechanism (e.g., a sandbox mechanism) specified in a user-specific data area. Through this, each cookie data can be isolated and protected.
[0137] Referring to FIG. 8, in operation 801, the SSO module (510) receives user input for the login of the first user and can perform a login operation based on the user input. For a description of the login operation for the first user in operation 801, refer to the description of the login operation for the first user in operation 701 of FIG. 7. Below, subsequent operations are described based on the fact that the login for the first user is successful. When the login is successfully performed, the web application module (520) (e.g., the web browser (410) of FIG. 4) can obtain (or receive) an authentication session cookie from the authentication server.
[0138] In operation 803, the web application module (520) receives user input requesting the execution of a web application and can perform a web application execution operation based on the user input. For a description of the web application execution operation of operation 803, refer to the description of the web application execution operation of operation 703 of FIG. 7. Through this web application execution operation, at least one process (e.g., a browser process) for executing a web application can be executed.
[0139] In operation 805, the web application module (520) can obtain cookie data (hereinafter, first account cookie data (541)) associated with a first user account (hereinafter, first account) based on the execution of the web application. For a description of the operation to obtain the first account cookie data in operation 805, refer to the description of the operation to obtain the first account cookie data in operation 705 of FIG. 7. Through this operation to obtain the first account cookie data, the first account cookie data including the first session cookie can be obtained. The web application module (520) can perform communication with a web server and / or a web application server using the first account cookie data.
[0140] In operation 807, the SSO module (510) receives user input for the login of a second user while the web application is running and can perform a login operation based on the user input. For a description of the login operation for the second user in operation 807, refer to the description of the login operation for the first user in operation 801. Below, subsequent operations are described based on the fact that the login for the second user was successful.
[0141] In operation 809, the SSO module (510) may send a command to the web application module (520) requesting a log-out of the first user's account (first account) based on identifying that the login for the second user has been successful. The web application module (520) may perform a log-out operation for the first account. Subsequent operations are described below based on the fact that the log-out of the first account has been successful.
[0142] In operation 811, the web application module (520) may obtain cookie data (hereinafter, second account cookie data) for a second user account (hereinafter, second account) while the web application is running. For example, while the web application is running, the web application module (520) may receive (or obtain) second account cookie data (541) including a second session cookie from a service provider server (e.g., the first service provider server (221) or the second service provider server (222) of FIG. 2) that provides the web application through an authentication server, and may replace the first account cookie data (541) with the second account cookie data (542). The web application module (520) may perform communication with a web server and / or a web application server using the second account cookie data. Operation 811 may include all or part of the operations described above, for example, in operation 620 of FIG. 6.
[0143] Unlike operation 715 of FIG. 7 described above, in operation 811, when switching SSO accounts, the web application is not terminated, and the first account cookie data (541) can be replaced with the second account cookie data (542) while the web application remains running. Even if the account cookie data is replaced while the web application is running, the two account cookie data are stored in a state isolated from each other, so even if one account cookie data is stolen, it may be difficult to obtain the other account cookie data. Therefore, despite the replacement of account cookie data while the web application is running, personalized information such as history information about the user of the existing SSO account is not exposed, and the user's privacy can be guaranteed.
[0144] In operation 813, the web application module (530) receives user input requesting the execution of a web application for a second user account (second account) and can perform a web application execution operation based on the user input. For a description of the web application execution operation for the second account in operation 813, refer to the description of the web application execution operation for the first account in operation 803. Unlike operation 713 of FIG. 7 described above, in operation 813, when switching SSO accounts, the web application is not terminated and then re-executed, and the web application for the second account can be executed while the execution of the web application is maintained. Therefore, the initialization procedure resulting from the termination and re-execution of the web application is not performed, thereby reducing the occurrence of overhead. As a result, the usability and performance of the web application can be improved.
[0145] FIG. 9 is a diagram illustrating a procedure for switching user accounts for the use of a web application according to one embodiment of the present disclosure.
[0146] FIG. 10 is a drawing illustrating an account selection screen according to one embodiment of the present disclosure.
[0147] The embodiment of FIG. 9 may be an example of the operation of the electronic device of FIG. 6 (e.g., the electronic device (101) of FIG. 1 or the electronic device (500) of FIG. 5). Unlike the embodiments of FIG. 7 and 8, the embodiment of FIG. 9 exemplarily describes a procedure in which a user account (e.g., SSO account) is switched due to the expiration of a specified timeout time, rather than a switching of the user account (e.g., account switching or login input) based on user input.
[0148] Unlike the embodiment of FIG. 7, in the embodiment of FIG. 9, it is assumed that the first account cookie data (541) (e.g., the first account cookie data (310) of FIG. 3), the second account cookie data (542) (e.g., the second account cookie data (320) of FIG. 3) and the guest account cookie data (543) are stored isolated from each other. For example, the first account cookie data (541), the second account cookie data (542), and the guest account cookie data (543) may each be stored isolated from each other using a security mechanism (e.g., a sandbox mechanism) specified in the user-specific data area.
[0149] Referring to FIG. 9, in operation 901, the SSO module (510) receives user input for the login of the first user and can perform a login operation based on the user input. For a description of the login operation for the first user in operation 901, refer to the description of the login operation for the first user in operation 701 of FIG. 7. Below, subsequent operations are described based on the assumption that the login for the first user is successful. When the login is successfully performed, the web browser can obtain (or receive) an authentication session cookie from the authentication server.
[0150] In operation 903, a web application module (e.g., the web browser (410) of FIG. 4) (520) receives user input requesting the execution of a web application and can perform a web application execution operation based on the user input. For a description of the web application execution operation of operation 903, refer to the description of the web application execution operation of operation 703 of FIG. 7. Through this web application execution operation, at least one process for executing a web application (e.g., a browser process) can be executed.
[0151] In operation 905, the web application module (520) can obtain cookie data (hereinafter, first account cookie data (541)) associated with a first user account (hereinafter, first account) based on the execution of the web application. For a description of the operation to obtain the first account cookie data in operation 905, refer to the description of the operation to obtain the first account cookie data in operation 705 of FIG. 7. Through this operation to obtain the first account cookie data, the first account cookie data including the first session cookie can be obtained. The web application module (520) can perform communication with a web server and / or a web application server using the first account cookie data.
[0152] According to one embodiment, if the web application module (520) is not executed (or used) for a specified timeout time (900) (e.g., 1 hour) after the web application has been executed (i.e., when the specified timeout time (900) expires), the web application module (520) may perform a timeout operation. For example, as a timeout operation, the web application module (520) may perform an operation to log out all web applications associated with the first account, an operation to terminate the web application, and / or an operation to terminate the web browser. However, such an operation to disable all of them may result in a significant loss of resources upon subsequent re-execution, thereby degrading the usability and performance of the web application. For example, as a timeout operation, the web application module (520) may perform an operation to replace the first account cookie data (541) with the cookie data for the guest account (hereinafter referred to as guest account cookie data) (543).
[0153] In operation 906, the web application module (520) may acquire guest account cookie data (543) based on the expiration of a specified timeout period (900). For example, the web application module (520) may acquire guest account cookie data (543) in response to the expiration of the specified timeout period (906) (e.g., at the time of expiration) or after the expiration (e.g., within a specified period after the expiration), and may convert (or replace) the first account cookie data (541) with the guest account cookie data (543). The web application module (520) may perform communication with a web server and / or a web application server using the guest account cookie data. Meanwhile, in operation 906, when the timeout period (900) expires, the first account cookie data (541) may be replaced with the guest account cookie data (543) while the execution of the web application is maintained. Even if account cookie data is replaced during the execution of the web application, since the two account cookie data are stored in an isolated state, it may be difficult to obtain the other account cookie data even if one account cookie data is exposed. Therefore, despite the replacement of account cookie data during the execution of the web application, the user's privacy can be guaranteed against the exposure of history information regarding the existing SSO account user. Furthermore, compared to the operation of deactivating the entire system upon the expiration of the timeout period (900), the operation of switching to guest account cookie data may be advantageous in terms of usability and performance.
[0154] In operation 907, the web application module (520) may receive user input requesting the execution of the web application from a first user or a second user. In operation 909, the web application module (520) may provide an account selection screen (e.g., the account selection screen (1000) of FIG. 10) in response to the receipt of user input. As illustrated in FIG. 10, a single electronic device (e.g., a smart TV) may be used jointly by multiple users (or user accounts).
[0155] According to one embodiment, with reference to FIG. 10, an account selection screen (1000) may include at least one selectable account (1011, 1012, 1013), a login button (1020) for logging in, and / or an account creation button (1030) for creating an account. At least one account (1011, 1012, 1013) may be an SSO account linked to an account of a platform (OS). At least one account (1011, 1012, 1013) may include a first account (1011) of a first user, a second account (1012) of a second user, and / or a third account (1013) of a third user. At least one account (1011, 1012, 1013) displayed on the account selection screen (1000) may be, for example, an account that has already been logged in. In this case, since the account corresponds to an account for which user authentication has been performed by an authentication server (e.g., the authentication server (210) of FIG. 2), the web application module (520) may already have an authentication session cookie for the account. According to one embodiment, the web application module (520) may receive user input selecting a first account (1011) as in operation 911a, or user input selecting a second account (1012) as in operation 911b, through the account selection screen (1000). When one account is selected through the account selection screen (1000), or when one account is selected through the account selection screen (1000) and the login button (1020) is pressed, the account may be switched to the selected account.
[0156] In operation 913a, the web application module (520) may obtain first account cookie data (541) based on receiving user input selecting a first account. After receiving user input selecting a first account, the web application module (520) may obtain (or receive) the first account cookie data (541) and replace guest account cookie data (543) with the first account cookie data (541). In this case, the guest account cookie data (543) may be the same cookie data as the original account cookie data prior to the switch, and all existing settings (e.g., personalization information and / or settings) may be retained. This may reduce overhead caused by re-execution.
[0157] In operation 913b, the web application module (520) can obtain second account cookie data (542) based on receiving user input selecting a second account. After receiving user input selecting a second account, the web application module (520) can obtain (or receive) the second account cookie data (542) and replace the guest account cookie data (543) with the second account cookie data (542).
[0158] The above-described operations 907 to 913a / b can all be performed while the execution of the web application is maintained. This can reduce the overhead caused by re-execution.
[0159] FIGS. 11a and 11b are drawings for explaining the operation of obtaining user input requesting the execution of a web application according to one embodiment of the present disclosure.
[0160] In the embodiments of FIGS. 11a and 11b, the operation of obtaining a user input requesting the execution of a web application (hereinafter, web application execution request input) may be, for example, an example of operation 630 of FIG. 6, operation 703, 711 or 713 of FIG. 7, operation 803 or operation 813 of FIG. 8, or operation 903 or 907 of FIG. 9. Such web application execution request input may be, for example, an input for a new user to execute a web application in the background after switching user accounts (e.g., after logging in with a new user account (e.g., SSO account) and logging out of the existing user account).
[0161] Referring to FIG. 11a, a request input for executing a web application can be obtained through a web browser (1100a) (e.g., the web browser (400) of FIG. 4). According to one embodiment, the web browser (1000a) may include an address input section (1110a), a screen display section (1120a), a user display section (1130a), at least one tab (1140a), and / or a screen switching section (1150a). The user display section (1130a) may display a logged-in user (or user account). The screen switching section (1150a) may be used to switch to a screen associated with the web browser (1000a) (e.g., the web application selection screen (1100b) of FIG. 11b).
[0162] According to one embodiment, an electronic device (e.g., the electronic device (101) of FIG. 1, the electronic device (500) of FIG. 5) can obtain a user input that inputs and executes a URL (e.g., domainA.com) corresponding to a web application (e.g., Web Application A) through the address input section (1110a) of a web browser (1100a) as a web application execution request input. Through this web application execution request input, the execution screen of Web Application A corresponding to the input can be displayed on the screen display section (1120a) of the web browser. The screen display section (1120a) can be associated with at least one tab (1140a). Among the at least one tab (1140a), the tab associated with the screen currently displayed in the screen display section (1120a) can be displayed as active.
[0163] Referring to FIG. 11b, a request to execute a web application can be obtained through a dedicated web application selection screen (1100b). According to one embodiment, the web application selection screen (1100b) may include at least one selectable web application display section (1111b, 1112b), a web service (or web application) addition section (1120b), a user display section (1130a), and / or a screen transition section (1140b). The screen transition section (1140b) may be used to transition to a screen associated with the web application selection screen (1000b) (e.g., the screen of the web browser (1100a) in FIG. 11a). The user display section (1130b) may display a logged-in user (or user account).
[0164] According to one embodiment, the electronic device may obtain a user input selecting an application (e.g., Web Application A) to be executed through a web application display portion (1111b, 1112b) of a web browser (1100b) as a web application execution request input. Through this web application execution request input, an execution screen of Web Application A corresponding to the input may be displayed on a screen display portion (1120a) of the web browser. The screen display portion (1120a) may be associated with at least one tab (1140a). Among the at least one tab (1140a), the tab associated with the screen currently displayed in the screen display portion (1120a) may be displayed as active.
[0165] FIG. 12 is a diagram illustrating the operation of reconfiguring a web browser tab according to a user account switch, according to one embodiment of the present disclosure.
[0166] In the embodiment of FIG. 12, the operation of reconfiguring the tabs of a web browser according to the switching of user accounts (hereinafter, tab reconfiguration operation) may be an example of an operation performed between, for instance, operation 620 of FIG. 6 and operations 809 to 813 of FIG. 8.
[0167] Referring to FIG. 12, according to one embodiment, an electronic device (e.g., the electronic device (101) of FIG. 1 or the electronic device (500) of FIG. 5) may close all tabs (1240a) (e.g., A, B, C, and D) associated with the first user account (1220a) within a web browser (1200a), as illustrated at the top of FIG. 12, before receiving user input for running a web application based on a first user account. The web browser (1200a) may display the URL of the currently running web application through an address input section (1210a), display the execution screen of the currently running web application through a screen display section (1220a), and display the currently logged-in user through a user display section (1220a).
[0168] According to one embodiment, in response to receiving user input for running a web application based on a second user account, the electronic device may create at least one tab (1240b) (e.g., A, B, E) associated with the second user account within a web browser (1200b), as illustrated at the bottom of FIG. 12. The web browser (1200b) may display the URL of the currently running web application through an address input section (1210b), display the execution screen of the currently running web application through a screen display section (1220b), and display the currently logged-in user through a user display section (1220b).
[0169] According to one embodiment, the termination and / or creation of tabs may be performed in the background (e.g., by a background process). At least one newly created tab may have the user's personalized data and / or settings (e.g., bookmarks, usage history, favorites, web browser settings, web application settings) associated with a second user account applied to it. In this way, by terminating only the tab(s) associated with the existing user account and creating the tab(s) associated with the new user account in the background without terminating and restarting the process associated with the web application (e.g., the browser process), rapid switching of user accounts may be possible while protecting the user's privacy.
[0170] The effects obtainable from the present disclosure are not limited to those mentioned above, and other unmentioned effects will be clearly understood by those skilled in the art to which the present disclosure belongs from the description below.
Claims
1. In an electronic device, Memory comprising at least one storage medium for storing instructions; and It includes at least one processor comprising a processing circuit, wherein the at least one processor is: While the web application is running based on a first user account, it identifies a transition from the first user account to a second user account, and Based on identifying the transition from the first user account to the second user account, while maintaining the execution of the web application, cookie data for the web browser used for the execution of the web application is changed from the first cookie data associated with the first user account to the second cookie data associated with the second user account, and Receiving user input to execute the above web application based on the above second user account, An electronic device that maintains the execution of the above web application, comprising maintaining the execution of at least one process associated with the above web application.
2. In Paragraph 1, An electronic device in which the first cookie data is isolated from the second cookie data using a specified security mechanism.
3. In Paragraph 2, An electronic device configured such that the first cookie data is stored within an access protection area different from the second cookie data.
4. In paragraph 1, the processor is: Before receiving the user input for executing the web application based on the second user account, close at least one tab associated with the first user account within the web browser, and An electronic device that creates at least one tab associated with the second user account within the web browser in response to receiving the user input for executing the web application based on the second user account.
5. In Paragraph 1, The electronic device, wherein the above-mentioned at least one process comprises one or more of a browser process for managing the functions of the web browser, a rendering process for rendering data received from a server to display a screen on the web browser, or a network process for communicating with the server.
6. In Paragraph 1, An electronic device comprising: the first cookie data including identification information of a first session established for communication between the web browser and the server based on the first user account; and the second cookie data including identification information of a second session established for communication between the web browser and the server based on the second user account.
7. In Paragraph 1, An electronic device in which the first user account is an SSO (single sign-on) account linked to a platform account of a user different from the second user account.
8. In paragraph 1, the processor is: While the web application is running based on the second user account, it identifies that a specified timeout time has expired, and An electronic device that, based on identifying that the above timeout time has expired, changes cookie data for the web application from the second cookie data to guest cookie data associated with a guest account while maintaining the execution of the web application.
9. In paragraph 8, the above processor is: While the above web application is running based on the guest account, receive user input to run the web application based on the second user account, and In response to the above user input, while maintaining the execution of the web application, the cookie data for the web application is changed from the guest cookie data to the third cookie data associated with the second user account, and An electronic device in which the above third cookie data is set identically to the above second cookie data.
10. In a method of an electronic device, An action of identifying a transition from the first user account to the second user account while the web application is running based on the first user account; Based on identifying a transition from the first user account to the second user account, while maintaining the execution of the web application, the operation of changing cookie data for a web browser used for the execution of the web application from first cookie data associated with the first user account to second cookie data associated with the second user account; and It includes an operation of receiving user input to execute the above web application based on the second user account, and A method of maintaining the execution of the above web application, comprising maintaining the execution of at least one process associated with the web application.
11. In Paragraph 10, A method in which the first cookie data is isolated from the second cookie data using a specified security method.
12. In Paragraph 11, A method in which the first cookie data is configured to be stored in an access protection area different from the second cookie data.
13. In paragraph 11, the above method is: The operation of closing at least one tab associated with the first user account within the web browser prior to receiving the user input for executing the web application based on the second user account; and A method comprising the operation of creating at least one tab associated with the second user account within the web browser in response to receiving the user input for executing the web application based on the second user account.
14. In Paragraph 10, A method wherein at least one process comprises one or more of a browser process for managing the functions of the web browser, a rendering process for rendering data received from a server to display a screen on the web browser, or a network process for communicating with the server.
15. In Paragraph 11, A method comprising: the first cookie data including identification information of a first session established for communication between the web browser and the server based on the first user account, and the second cookie data including identification information of a second session established for communication between the web browser and the server based on the second user account.