Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It shouldn't. SSO doesn't typically work by sharing cookies, which have always been limited to a single domain in the first place.


I'm not sure about that. It depends on where the boundaries of the "cookie jar" are (through redirects and such). And I suspect it will effect it, in order to accomplish it's purpose. After all, what is tracking but a sort of "SSO" you don't know about.

(OK, technically tracking is less powerful than SSO, since only the third-party needs to know your "single" identity, the first-party website doesn't actually know it, where in SSO it does)

I mean, to be clear -- I mean the new thing might make you enter your username and password to SSO login on each site, whereas ordinarily if you have an active SSO session you don't need to re-enter username and password to login with SSO on a new site. Will it break SSO even if you are fine re-entering username and password every time you SSO login? I am not sure, but I definitely wouldn't be confident 'no' without more details/testing.


Those work by redirect you on top level domain (the url you see in url bar) shouldn't be affected. They don't even share cookie directly anyway. (Which is just.... standard oauth)

Those work by enbedded into pages (iframe) or popups may.

The biggest offender of this kind of usage is probably facebook comment / disqus comment.


Makes sense.

The difference will be (I predict) that when you are redirected to the SSO, you will _always_ have to enter your username/password, or at least once per "first party" site you are logging into.

Whereas right now, sometimes when you get redirected to the SSO/oath, it already knows who you are, and you don't need to log in again -- you just get invisibly redirected back, and/or just have to click a button saying "yeah, it's cool". But with the cookie sandboxes, you'll always have to actually enter username and password to your SSO. Because the cookies that would have told the SSO(/oauth provider) that you have an active auth session, from when you logged in earlier today or whatever -- won't make it.

Or maybe not, depending on how it's implemented -- but if a redirect is enough to defeat it and make it think you're in a different sandbox, then I expect all the trackers will be able to defeat the sandboxing with careful use of redirects. So.


Ad don't redirect you on top level domain anyway (except for some malicious ad). And silent popup these days don't even work.

If the site is willing to redirect you directly to another site. I guess they can share data by themselves anyway?

I think sabotage of silent tracking pixel/ajax tracking is enough for most usage without breaking the web.


It would break things like medium.com's constant prompt to login with this list of google accounts, but it wouldn't break SSO - SSO itself is typically handled by a series of redirections, and at the time you're redirected _to_ the SSO server, you're giving your cookies to _them_, then you're redirected back with a signed response and get cookies for the _destination_ domain - at no time during the exchange does the SSO server need to directly talk to the relying party.

Implementations may of course vary.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: