1 post • joined 13 Nov 2009
Why we write cookies to multiple domains
I’m the product manager for Windows Live ID. Thanks for calling this out, and I wanted to take this opportunity to outline the reason you are getting this experience. The comments above cover most of this, but here is the official word on why we write our cookies to multiple domains to:
- Give users a good experience with single sign-on, so they can be authenticated to multiple sites (e.g. MSN, Xbox Live, Windows Live, Bing) at once without having to retype their password
- To help protect user security, by separating the authentication cookies that are used for different services. If a cookie in one domain is compromised, it means that user assets in another domain won’t be compromised
During sign-in, we redirect to the right domain so that the cookies can be written in first-party context. It’s only during sign-out, where we need to clear cookies from potentially many domains that we have login.live.com clearing cookies in other domains via the invisible GIF solution (more info http://msdn.microsoft.com/en-us/library/bb676640.aspx). We are actually removing cookies in this scenario, but it’s interpreted by browsers as using third party cookies.
- SMASH the Bash bug! Apple and Red Hat scramble for patch batches
- BENDY iPhone 6, you say? Pah, warp claims are bent out of shape: Consumer Reports
- NASA rover Curiosity drills HOLE in MARS 'GOLF COURSE'
- WHY did Sunday Mirror stoop to slurping selfies for smut sting?
- Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9