Automatic cookie single sign on on multiple domains - like google

Question

I don\'t understand how google achieve the following mechanism of single sign on:

1. I login in gmail for example (I suppose this creates a cookie withmy authorizatio

Answer 1

The cookies are set on specific domains. Ex:

setcookie(name,value,expire,path,domain) 

When you log in on gmail, before "mail.google.com", you have been redirected to "accounts.google.com" then to "mail.google.com" so the cookies are on "accounts.google.com" too.

In this case, the domain is "accounts.google.com" and the path is "/" (the home path).

When you request "www.youtube.com" then you click on "connection" it requests "accounts.google.com" fast so you can't see this redirection and checks if you have cookies on "accounts.google.com". If so, it checks if the cookies are valid and not expired, or user not banned... Then it redirects you to "www.youtube.com/signin?loginthisSession=Sessionid". This request contains the value of the of sessionid cookie catched from the cookies of "accounts.google.com".

In the last step, "www.youtube.com" logs you and set its own cookie on the domain "www.youtube.com" and saves them.

So the trick is on the 302 HTTP redirect.