I don't think you can put cookies on a TLD. So if Google used mail.google and calendar.google , the login system would be more complex, because they can't share cookies.

▲

arghwhat 6 days ago | parent [-]

Modern auth systems do not work by exposing multiple services on a single domain with shared cookies.

Instead, they authenticate using a common auth service (say, auth.google), which by virtue of being a single domain can persist shared cookies for all its consumers. This would yield a valid token (possibly a JWT) that the authenticating application can then use however it would like, including as a cookie on the application's own domain.

Whenever you go to a service that temporarily sends you to a different login domain (often just immediately redirection you back), this is why.

	▲	Thorrez 6 days ago \| parent \| next [-]
		Some modern auth systems. Not all. I created a separate Chrome profile, and logged in to gmail. Then I disabled javascript, then deleted all my google.com cookies (but left my mail.google.com cookies). Then I reenabled javascript and visited mail.google.com again. I was logged out. So Google is using the google.com cookies.
	▲	6 days ago \| parent \| prev [-]
		[deleted]