Automatic cookie single sign on on multiple domains - like google

Question

I don\'t understand how google achieve the following mechanism of single sign on:

1. I login in gmail for example (I suppose this creates a cookie withmy authorizatio

Answer 1

While evaluating this cross domain SSO topic, I have come up with possible a new SSO synchronization flow using cookie with timestamp. Although it is not a flow used by Google, I think this flow is possible to implement for system with limited number of domains.

This flow do not use 3rd party cookie

This is going to be a long post :)

domains

To make an example, let say we have these domains for our example pet forums:

• https://account.domain1.com (For SSO Login)
• .domain1.com (e.g. https://cat.domain1.com)
• .domain2.com (e.g. https://dog.domain2.com)
• .domain3.com (e.g. https://rabbit.domain3.com)

Change to https://account.domain1.com:

• Add https://account.domain2.com and https://account.domain3.com, route both host name traffic to the server hosting https://account.domain1.com

Login Steps:

1. User go to dog.domain2.com, user have not sign in yet.
2. User click the Login button in dog.domain2.com
3. User get redirect to account.domain1.com for login
   • This step can be any Login protocol, OAuth, OIDC, SAML, CAS, etc
   • So, it is important for user to be redirected back to original page after login
   • Let say this https://account.domain1.com?redirect_uri=https://dog.domain2.com
   • redirect_uri as in the URL to go back after login success
4. User Input username & password, login success
5. New step, before redirect back to https://dog.domain2.com, set cookies on all domains
   1. Redirect browser to https://accounts.domain2.com?...
   2. Set a cookie on the .domains2.com domain (More on the cookie value later)
   3. Redirect browser to https://accounts.domain2.com?...
   4. Set a cookie on the .domains3.com domain
   5. Redirect browser to https://accounts.domain1.com?...
   6. Set a cookie on the .domains1.com domain
   7. Redirect back to original flow
6. Redirect user back to their original service, i.e. https://dog.domain2.com

Now, right after login flow we have cookies over all 3 domains. Any of our service (e.g. https://cat.domain1.com / https://dog.domain2.com / https://rabbit.domain2.com ) can access this cookie under their own domain.

Cookie Content

• The content of the cookie, should allows for any webpage to look at it, and determine if SSO sync is needed
• Different types of cookie content can be stored, including
  • Boolean indicate user logined or not
  • User ID
  • Expired At timestamp

Boolean indicate user logined or not

• Storing have_user_login = true / false have sync issue
• Suppose User A login, visit https://cat.domain1.com, User A Logout, and User B login
• Now, from https://cat.domain1.com standpoint, no sync is needed
• However, https://cat.domain1.com is storing User A instead of User B, hence the sync issue.

User ID

• While it is tempting to just stored the user_id on those cookie, and let all the domain to see them and set the user accordingly.
  • This is way too dangerous, since the cookie is set at the parent domain,
  • if any of the website under your domain been hacked, impersonation might happen (Copying any of the user_id, pasting it to their own browser cookie).

Expired At Timestamp

• What I suggest, is for the cookie value to set as the SSO expired time, and set the type as session cookie, this have the following benefits:
  • An expired time have minimal security impact if leaked / altered
  • Our website can check the expired time to know if user need to relogin
  • As for why session cookie, is for when user close them browser, and tried to login again, the cookie will be deleted hence logout the user as well
• Any webpage that use the SSO, should also stored a cookie themselves with the same expired time
  • There will be cases that, User A Login, visit https://cat.domains1.com Then User B Login
  • Since User A and User B will have a different login expired time, storing and compare that timestamp will tell the user to sync with SSO again

Example checking implement for your service

E.g. On https://cat.domains1.com, you can add this to the top of your page load

Logout

Login is very similar to Login, basically:

• Before logout goes through, redirect to all 3 domains just like login
• Remove the SSO cookie
• Continue the normal logout flow

Pro and cons for the methods:

• Pro: All domain sync possible
• Pro: No need to relies on 3rd party cookie
• Cons: First time login longer (around 50ms longer)
• Cons: Customization on every website is needed for the sync to works