| ▲ | arghwhat 6 days ago | |
Modern auth systems do not work by exposing multiple services on a single domain with shared cookies. Instead, they authenticate using a common auth service (say, auth.google), which by virtue of being a single domain can persist shared cookies for all its consumers. This would yield a valid token (possibly a JWT) that the authenticating application can then use however it would like, including as a cookie on the application's own domain. Whenever you go to a service that temporarily sends you to a different login domain (often just immediately redirection you back), this is why. | ||
| ▲ | Thorrez 6 days ago | parent | next [-] | |
Some modern auth systems. Not all. I created a separate Chrome profile, and logged in to gmail. Then I disabled javascript, then deleted all my google.com cookies (but left my mail.google.com cookies). Then I reenabled javascript and visited mail.google.com again. I was logged out. So Google is using the google.com cookies. | ||
| ▲ | 6 days ago | parent | prev [-] | |
| [deleted] | ||