Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Automatic cookie single sign on on multiple domains - like google

I don't understand how google achieve the following mechanism of single sign on:

  1. I login in gmail for example (I suppose this creates a cookie withmy authorization)
  2. I open a new tab and direct type the url of "youtube"
  3. Then I enter youtube logged in.

How can this second site detect that I've already been logged in. They are different domains. Youtube can't read the cookie of Gmail.

All the solutions I've read about Single sign on don't allow this. The client always ask permission to a central login app. In my example YouTube doesn't know I am the same user logged in Gmail (actually it does know, but I don't understand how)

Note that I type the url of "youtube" by hand. I don't clic the youtube icon from the upper toolbar of gmail (In that case gmail may pass some auth params through the url for example).

like image 729
user1518048 Avatar asked Jul 11 '12 14:07

user1518048


People also ask

Can you set a cookie for multiple domains?

As you may know, cookie can't be set in a different domain from another domain directly. If you're having multiple sites in where you need to set a cookie from a parent site, you can use basic HTML and JS to set the cookies. Google is using this same way.

How does SSO work across domains?

The SSO domain authenticates the credentials, validates the user, and generates a token. The user is sent back to the original site, and the embedded token acts as proof that they've been authenticated. This grants them access to associated apps and sites that share the central SSO domain.

How do I set the same cookie for different domains?

Setting cookies for another domain is not possible. If you want to pass data to another domain, you can encode this into the url.

Do cookies work across domains?

Cookies are the go-to method for tracking user information in a web client. First-party cookies (cookies set on the current domain you are browsing) allow tracking for data on a single domain or subdomains, so they will not work across top-level domains.


1 Answers

The cookies are set on specific domains. Ex:

setcookie(name,value,expire,path,domain)  

When you log in on gmail, before "mail.google.com", you have been redirected to "accounts.google.com" then to "mail.google.com" so the cookies are on "accounts.google.com" too.

In this case, the domain is "accounts.google.com" and the path is "/" (the home path).

When you request "www.youtube.com" then you click on "connection" it requests "accounts.google.com" fast so you can't see this redirection and checks if you have cookies on "accounts.google.com". If so, it checks if the cookies are valid and not expired, or user not banned... Then it redirects you to "www.youtube.com/signin?loginthisSession=Sessionid". This request contains the value of the of sessionid cookie catched from the cookies of "accounts.google.com".

In the last step, "www.youtube.com" logs you and set its own cookie on the domain "www.youtube.com" and saves them.

So the trick is on the 302 HTTP redirect.

Update

i do not know why people keep mentioning iframe take a look at the date whene this questions was posted on 2016 google was not using then iframe as i mentioned the capture of web traffic as you can see SetSID wich means set the cookie of SESSION_ID from accounts.google.dz(com) then redirects to youtube.com it can not be used trought iframe differant domains security measure you can not be redirected from domain to domain trought iframe neither please read this before posting

enter image description here

like image 57
Hichem Avatar answered Sep 20 '22 14:09

Hichem