I don't understand how google achieve the following mechanism of single sign on:
How can this second site detect that I've already been logged in. They are different domains. Youtube can't read the cookie of Gmail.
All the solutions I've read about Single sign on don't allow this. The client always ask permission to a central login app. In my example YouTube doesn't know I am the same user logged in Gmail (actually it does know, but I don't understand how)
Note that I type the url of "youtube" by hand. I don't clic the youtube icon from the upper toolbar of gmail (In that case gmail may pass some auth params through the url for example).
As you may know, cookie can't be set in a different domain from another domain directly. If you're having multiple sites in where you need to set a cookie from a parent site, you can use basic HTML and JS to set the cookies. Google is using this same way.
The SSO domain authenticates the credentials, validates the user, and generates a token. The user is sent back to the original site, and the embedded token acts as proof that they've been authenticated. This grants them access to associated apps and sites that share the central SSO domain.
Setting cookies for another domain is not possible. If you want to pass data to another domain, you can encode this into the url.
Cookies are the go-to method for tracking user information in a web client. First-party cookies (cookies set on the current domain you are browsing) allow tracking for data on a single domain or subdomains, so they will not work across top-level domains.
The cookies are set on specific domains. Ex:
setcookie(name,value,expire,path,domain)
When you log in on gmail, before "mail.google.com", you have been redirected to "accounts.google.com" then to "mail.google.com" so the cookies are on "accounts.google.com" too.
In this case, the domain is "accounts.google.com" and the path is "/" (the home path).
When you request "www.youtube.com" then you click on "connection" it requests "accounts.google.com" fast so you can't see this redirection and checks if you have cookies on "accounts.google.com". If so, it checks if the cookies are valid and not expired, or user not banned... Then it redirects you to "www.youtube.com/signin?loginthisSession=Sessionid". This request contains the value of the of sessionid cookie catched from the cookies of "accounts.google.com".
In the last step, "www.youtube.com" logs you and set its own cookie on the domain "www.youtube.com" and saves them.
So the trick is on the 302 HTTP redirect.
Update
i do not know why people keep mentioning iframe
take a look at the date whene this questions was posted on 2016
google was not using then iframe
as i mentioned the capture of web traffic as you can see SetSID
wich means set the cookie of SESSION_ID from accounts.google.dz(com)
then redirects to youtube.com
it can not be used trought iframe
differant domains
security measure
you can not be redirected from domain to domain trought iframe neither
please read this before posting
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With