Cross-domain session standardization

Question

I am looking into cross-domain sessions. These are sessions which are shared between two domains like google.com and spotify.com. I'm not looking for information regarding cross-domain sessions between sub-domains since they can be shared by broadening the scope of the cookies that carry the session identifier. play.google.com and mail.google.com can therefor easily share the same session and this session sharing does not require a complex set u redirects and/or ajax calls.

I would like to know if there is a formal standard in setting up such a cross-domain session. It seems as if every framework has it's own mechanism, many of them using redirects, others using JavaScript. As part of research in this domain I am looking for anything that can be seen as a widely used standard to achieve these cross-domain sessions. Also information regarding informal standards (widely used mechanisms) is highly appreciated.

Edit based on Neil's answer: I realize now that I have indeed made some mistakes in my reasoning. It is not a cross-domain session that is required for SSO but actually a cross-domain state. Correct my if I'm wrong but, if a server is able to provide a whitelist of domains for which a cookie is valid, SSO would become far simpler without it being a security issue. You would just create a cookie with all the authentication information (uid, roles, idp, etc) and make this cookie shared between all domains you want to include in the SSO sope. You need to build in a mechanism that checks with the other domains in the whitelist, if they allow the first domain to set cookies for this domain.

Take a look at https://stackoverflow.com/questions/3342140/cross-domain-cookies — Dog eat cat world, May 16 '16 at 12:34
Exactly what is your question? Are you asking whether you could create a new browser standard to provide shared state between unrelated domains? — Neil Smithline, May 17 '16 at 16:05

score 6 · Answer 1 · answered May 15 '16 at 23:22

I'm a bit confused about your vernacular. But I'll try.

I believe you are using the word "session" to refer to single sign-on (SSO). This is functionality that allows you to sign into one site and have that sign-on propagated to other sites without requiring re-authentication. There are several standards for this. They include OAuth¹, SAML, and OpenID Connect.

SSO is not the same thing as a shared session. A shared session implies some shared state beyond authentication while SSO only affects authentication. Sharing state across multiple websites tends to be difficult due to security features in the browser, the same-origin policy probably being the biggest. Features like supercookies and Flash cookies are sometimes used to implement shared sessions, but they tend to be very limited in functionality due to the browser's security protections.

Regarding the example you gave of Google and Spotify, they do not share a session. Instead, they use OAuth to allow a Google login to be used to create a new Spotify account. Once created, the accounts are disconnected. For example, logging out of one service will not log you out of the other one.

¹Technically, OAuth is an authorization protocol, but it frequently looks like an SSO.

I've updated my question based on you answer. It was too long for a comment. — Silver, May 16 '16 at 12:23

Cross-domain session standardization

1 Answers1