Automatic cookie single sign on on multiple domains - like google
Solution 1
The cookies are set on specific domains. Ex:
setcookie(name,value,expire,path,domain)
When you log in on gmail, before "mail.google.com", you have been redirected to "accounts.google.com" then to "mail.google.com" so the cookies are on "accounts.google.com" too.
In this case, the domain is "accounts.google.com" and the path is "/" (the home path).
When you request "www.youtube.com" then you click on "connection" it requests "accounts.google.com" fast so you can't see this redirection and checks if you have cookies on "accounts.google.com". If so, it checks if the cookies are valid and not expired, or user not banned... Then it redirects you to "www.youtube.com/signin?loginthisSession=Sessionid". This request contains the value of the of sessionid cookie catched from the cookies of "accounts.google.com".
In the last step, "www.youtube.com" logs you and set its own cookie on the domain "www.youtube.com" and saves them.
So the trick is on the 302 HTTP redirect.
Update
i do not know why people keep mentioning iframe
take a look at the date whene this questions was posted on 2016
google was not using then iframe
as i mentioned the capture of web traffic as you can see SetSID
wich means set the cookie of SESSION_ID from accounts.google.dz(com)
then redirects to youtube.com
it can not be used trought iframe
differant domains
security measure
you can not be redirected from domain to domain trought iframe neither
please read this before posting
Solution 2
Cookies and localStorage can be shared between domains using an intermediate domain. On the home page is embedded an "iframe ', which accesses cookies and sends messages to the main.
mail.google.com
and youtube.com
can share the cookies using accounts.google.es
. Open Chrome->Inspect->Resources->Local storag
e and you will see in accounts.google.com
the authentication token in JWT format.
I have detailed the technical steps in this answer: https://stackoverflow.com/a/37565692/6371459. Also take a look at https://github.com/Aralink/ssojwt to see an implementation of a Single Sign On using JWT in a central domain
Solution 3
Check this out.. http://www.codeproject.com/Articles/106439/Single-Sign-On-SSO-for-cross-domain-ASP-NET-applic. The article consist explanation and sample of SSO cross domain.
user1518048
Updated on June 27, 2022Comments
-
user1518048 almost 2 years
I don't understand how google achieve the following mechanism of single sign on:
- I login in gmail for example (I suppose this creates a cookie withmy authorization)
- I open a new tab and direct type the url of "youtube"
- Then I enter youtube logged in.
How can this second site detect that I've already been logged in. They are different domains. Youtube can't read the cookie of Gmail.
All the solutions I've read about Single sign on don't allow this. The client always ask permission to a central login app. In my example YouTube doesn't know I am the same user logged in Gmail (actually it does know, but I don't understand how)
Note that I type the url of "youtube" by hand. I don't clic the youtube icon from the upper toolbar of gmail (In that case gmail may pass some auth params through the url for example).