undefined | Better HN

0 pointsarghwhat7mo ago0 comments

Modern auth systems do not work by exposing multiple services on a single domain with shared cookies.

Instead, they authenticate using a common auth service (say, auth.google), which by virtue of being a single domain can persist shared cookies for all its consumers. This would yield a valid token (possibly a JWT) that the authenticating application can then use however it would like, including as a cookie on the application's own domain.

Whenever you go to a service that temporarily sends you to a different login domain (often just immediately redirection you back), this is why.

0 comments

Thorrez7mo ago

Some modern auth systems. Not all.

I created a separate Chrome profile, and logged in to gmail. Then I disabled javascript, then deleted all my google.com cookies (but left my mail.google.com cookies). Then I reenabled javascript and visited mail.google.com again. I was logged out. So Google is using the google.com cookies.

j / k navigate · click thread line to collapse

0 comments

Thorrez7mo ago

Some modern auth systems. Not all.

j / k navigate · click thread line to collapse