0%
Reading Settings
Font Size
18px
Line Height
1.5
Letter Spacing
0.01em
Font Family
Table of contents
    blog cover

    How Google achieves seamless SSO across multiple domains like Gmail and Youtube?

    Software Engineer
    Software Engineer
    published 2024-10-13 18:14:25 +0700 · 2 mins read
    Have you ever wondered how logging into Gmail can automatically sign you into YouTube, Google Drive, and all other Google services? This behind-the-scenes technique is called Single Sign-On (SSO). In this blog, I will show you some techniques that Google used.

    The Challenge of Cross-Domain Authentication

    Web browsers enforce strict security policies that prevent one domain from accessing cookies set by another domain. This policy, known as the Same-Origin Policy, is essential for protecting user data but poses a challenge for implementing SSO across multiple domains (e.g., google.com and youtube.com).

    To overcome this, Google employs a combination of cookies, tokens, and background server requests to synchronize authentication sessions across its services.

    Step-by-Step Login Flow

    1. Initial Login Request
    When a user navigates to a Google service (e.g., Gmail at https://mail.google.com) and they are not logged in, Gmail redirects the user to the central authentication server at https://accounts.google.com.

    At https://accounts.google.com, the user is prompted to enter their credentials. Upon successful authentication, the server sets a session cookie for the .google.com domain.

    // language: bash
HTTP/1.1 200 OK
Set-Cookie: SID=SESSION_COOKIE; Domain=.google.com; Secure; HttpOnly

    2. Generating Cross-Domain Session Identifiers
    Google's authentication server also generates a session identifier or token. This token is used to establish sessions on other Google-owned domains.

    The authentication server redirects to other Google-owned domains to establish sessions on those domains using the session identifier.

    Redirect to YouTube:
    // language: bash
GET /accounts/SetSID?sidt=UNIQUE_SESSION_ID&continue=https://mail.google.com/mail&<other_params>
Host: accounts.youtube.com
    Request to accounts.youtube.com

    Response from YouTube:
    // language: bash
Set-Cookie: SID=YOUTUBE_SESSION_COOKIE; Domain=.youtube.com; Secure; HttpOnly

    YouTube redirects to Localized Domains (e.g., Vietnam):
    // language: bash
GET /accounts/SetSID?sidt=UNIQUE_SESSION_ID&continue=https://mail.google.com/mail&<other_params>
Host: accounts.google.com.vn
    Request to accounts.google.com.vn

    Response from Localized Domains:
    // language: bash
Set-Cookie: SID=LOCALIZED_SESSION_COOKIE; Domain=.google.com.vn; Secure; HttpOnly

    When accounts.youtube.com and other localized domains receive the request with the session identifier, they verify the identifier with the central authentication server. If valid, they set their own session cookies for their respective domains.

    3. Final Redirection
    Once all necessary cookies are set, the user is redirected back to the original service, which was extracted from the continue param (&continue=https://mail.google.com/mail)

    When the user navigates to another Google service (e.g., YouTube at https://www.youtube.com), the .youtube.com cookies are automatically sent with the request, allowing the user to be logged in without re-entering credentials.

    Step-by-Step Logout Flow

    The browser sends background requests to other domains to clear their cookies.
    • Youtube:
    // language: bash
GET /ClearSID?sidt=UNIQUE_SESSION_ID HTTP/1.1
Host: accounts.youtube.com
    • Localized Domains:
    // language: bash
GET /ClearSID?sidt=UNIQUE_SESSION_ID HTTP/1.1
Host: accounts.google.com.vn

    Each domain clears its cookies and invalidates the session

    Related blogs

    blog cover
    CORS and CSRF: How Attackers Exploit the Gaps
    I used to think CORS was a security feature. It is, partially. But the more I understood it, the more I realized how narrow its protection actually is. This post walks through how CORS works under the hood, where it breaks down, what CSRF is, and how...
    Software Engineer
    Software Engineer
    published 2026-04-04 18:08:15 +0700 · 5 mins read
    blog cover
    PWA and Service Worker: Making Your Web App Feel Native
    You might have seen browsers allow you to install a website like an app. Building a native application takes significant effort, and not many common applications support it. Google Calendar and Gemini are examples. To use them like a native app, I ju...
    Software Engineer
    Software Engineer
    Frontend
    Frontend
    published 2026-04-25 17:28:32 +0700 · 3 mins read