../courses.php
Google's Role In The Web
GOOGLE
90
Signing In With Google
Why a Continue with Google button hands off responsibility, but never all of it.
A website adds a Continue with Google button, confident this means it no longer has to think about password security at all, since Google is handling sign-in entirely. A user later reports their account on this website was used without their permission. The user's actual Google account itself was never compromised at all. How could the account be misused if Google's own sign-in was never broken into?
Google sign-in confirms who a user is at the moment they sign in. It does not take over every other security responsibility a website has afterward, such as how it manages the resulting session, what it allows that session to do, or how long that access remains valid. A website's own logic, separate from anything Google does, still decides things like session length and what a signed-in session is allowed to perform, and a weakness in that website's own handling can be misused even while the underlying Google identity itself stays completely secure the entire time.
A Continue with Google button starts a process where the website asks Google to confirm a visiting user's identity, rather than the website managing a password of its own for that user at all.
This process commonly involves the user being sent to a Google-controlled page to confirm their identity and consent, then being returned to the original website along with the confirmed information covered in the previous lecture.
Once a website receives this confirmed identity, it is the website's own responsibility, not Google's, to decide how to start a session for that user, how long that session lasts, and what it allows that session to do.
Removing password management from a website's own responsibility removes one specific category of risk, passwords being guessed, reused, or leaked, but does not remove every other security responsibility a website still has around how it manages sessions and access afterward.
A user revoking a website's access to their Google account, through their own Google account settings, is a separate action from that website's own session for that user automatically ending at the same moment.
Where Google's part ends and the website's own responsibility begins
1. User clicks "Continue with Google"
2. Google confirms identity, user consents
3. Website receives confirmed identity (Google's job ends here)
4. Website creates its own session, decides its own length,
its own permissions (website's job from here)
Steps 1 and 2 are entirely Google's process, confirming who the user is and obtaining their consent to share that with this website. The website has no direct control over how this confirmation itself happens.
The moment the confirmed identity arrives at the website is the precise point Google's involvement in this specific transaction ends. Everything after this point is the website's own code making its own decisions.
How long the resulting session stays valid, whether it requires re-confirmation after some time, and what that session is allowed to do are all decisions the website's own logic makes, with no input from Google at all.
A website that creates an extremely long-lived session, or fails to properly check what that session is allowed to do, has introduced a real security weakness entirely within its own code, regardless of how securely the identity itself was confirmed in steps 1 through 3.
A user removing this website's access from their Google account settings stops Google from confirming this website's future requests. It does not automatically end whatever session that website's own code already created and is still running, unless the website specifically checks for and honors that revocation itself.
Google's responsibility ends at confirming identity, not at securing everything afterward
A website's own session management, decided entirely in its own code after receiving a confirmed identity, can contain a real security weakness completely independent of how secure Google's own identity confirmation was. A perfectly secure sign-in step can still be followed by an insecure session afterward.
Removing password risk does not remove every other category of risk
Passwords being guessed, reused across sites, or leaked is one specific, common risk category that Google sign-in genuinely removes. Session hijacking, overly broad permissions, and other risks that exist entirely within a website's own code remain just as possible as before.
Revoking access on Google's side and ending a session on the website's side are two separate actions
A user revoking a website's access through their Google account settings affects only future identity confirmations from Google to that site. Any session that website already created keeps running exactly as before unless the website itself specifically checks for and responds to that revocation.
A long-lived or overly permissive session is a choice the website made, not something Google imposed
How long a session stays valid after Google sign-in, and what that session is allowed to access, is determined entirely by decisions made in the website's own code, which means an overly generous choice here is a mistake specific to that website, not a limitation inherited from Google.
Adding Google sign-in changes who confirms identity, not what a website is otherwise responsible for
Every other normal security responsibility a website has, validating input, managing sessions appropriately, limiting what a session can access, remains entirely the website's own job after adopting Google sign-in. Only the specific task of confirming who the user is has actually changed hands.
Creating a session that never expires after Google sign-in
session.expires = null; // never expires, regardless of revocation
Creating a session with a reasonable, enforced expiration
session.expires = Date.now() + ( 24 * 60 * 60 * 1000 ); // 24 hours
When an AI tool implements Google sign-in for a website, three things are worth checking. First, does it treat session management, session length, and access permissions as the website's own ongoing responsibility, not something Google sign-in handles automatically. Second, does it check for and respond to a user revoking access on Google's side, rather than assuming an existing session is automatically invalidated. Third, does it recognize that removing password risk through Google sign-in does not remove other security responsibilities the website still has.
Research how a website using Google sign-in can check whether a user has since revoked that website's access, and what specifically happens if it never checks.
Explain, in your own words, why a perfectly secure identity confirmation step could still be followed by an insecure session afterward.
Design a reasonable session expiration policy for a hypothetical website using Google sign-in, and justify the specific length you chose.
Describe a realistic scenario where a website's own session-handling mistake could be exploited even though the underlying Google account itself was never compromised.
List every security responsibility a website still has after adopting Google sign-in, distinguishing them from the one specific responsibility, password management, that it no longer has.
Assuming adopting Google sign-in removes every security responsibility a website has, rather than only the specific one around password management.
Creating a session with no reasonable expiration, leaving it valid indefinitely regardless of anything happening on the user's Google account afterward.
Failing to check whether a user has revoked a website's access on Google's side, leaving an already-created session running unaffected.
Assuming a security incident involving a user's account must mean their underlying Google account was compromised, when the cause can sit entirely within the website's own session handling.
Treating Google's confirmed identity as automatic permission for a session to do anything at all, rather than something the website's own logic still has to separately decide.
You can now identify the exact point where Google's role in a sign-in process ends and a website's own responsibility begins, and explain why a website's session management can introduce real security weaknesses regardless of how secure the underlying identity confirmation was. You can also explain why revoking access on Google's side and ending an existing session are two separate actions that do not automatically happen together.
Login - Jit4All
Login
Welcome back to Jit4All