0

Suppose that amazon.com sets a redirect header on its homepage to google.com. Upon visiting amazon.com, the browser fetchs the response, reads from the header that it should head over to google.com, and proceeds to make another request to google.com. I understand that in this second request, the browsers sends the cookies that the user may previously had before with google.com, is this correct? That is to say, if the user was previously logged in to his account on google.com he will appear logged in when amazon.com redirects there.

Just trying to make sure I understand all corner cases in interaction with external parties in a web app.

Mahn
  • 16,261
  • 16
  • 62
  • 78

1 Answers1

1

"The browsers sends the cookies that the user may previously had before with google.com, is this correct?"

Yes.

Unless the cookie has expired, whenever a domain/path is hit that has a cookie stored for it, that cookie is automatically sent with the request headers.

https://www.rfc-editor.org/rfc/rfc6265#section-4.2

However Google's login procedures are fairly complex as it covers all their domains and systems. It may redirect around a little to reestablish the users login via a "remember-me token" and a fresh cookie being set from their central auth domain. They aren't the best straight-forward example but your general understanding of it is correct.

The definitive guide to form-based website authentication

This community wiki includes some good details on different authentication techniques, including "remember-me tokens".

Community
  • 1
  • 1
MrYellow
  • 426
  • 6
  • 23
  • 1
    Thanks, just wanted to make sure that was the case. Bounty rep to follow (it says here I have yet to wait 10 hours before awarding it). – Mahn Aug 14 '14 at 09:43