Once you get authenticated on a single site, the full.js gets loaded, which has a function UniversalAuth.performAuth() which gets called.
That function starts with an XMLHttpRequest POST to /users/login/universal/request of the current domain. It doesn't take parameters but the browser does send all the cookies it has collected, including prov, _uauth and acct.
That API returns an JSON Array with for each site a host, token and nonce attribute:
[{
"Token": "cF/S4H",
"Nonce": "2CJTWw",
"Host": "stackexchange.com"
}, {
"Token": "42",
"Nonce": "4242",
"Host": "serverfault.com"
}, {
"Token": "4242424",
"Nonce": "42",
"Host": "superuser.com"
}, {
"Token": "42424242",
"Nonce": "4242",
"Host": "askubuntu.com"
}, {
"Token": "424242",
"Nonce": "4242424",
"Host": "stackapps.com"
}, {
"Token": "42424242424",
"Nonce": "4242424242424242",
"Host": "mathoverflow.net"
}
]
That response is iterated and for each element it creates an image tag with this URL:
var url = '//' + group.Host +
'/users/login/universal.gif?authToken=' + encodeURIComponent(group.Token) +
'&nonce=' + encodeURIComponent(group.Nonce);
Once the src attribute of the image is set it gets loaded:
var $img = $('<img/>').attr({
style: 'display:none',
src: url,
'crossOrigin': 'use-credentials' // needed for CORS
});
So suppose we're currently on stackoverflow.com. For the above code the img tag and its src attribute for the serverfault.com will look like:
<img src="https://serverfault.com/users/login/universal.gif?authToken=42&nonce=4242" />
You browser will now send that src URL to the site serverfault.com, (the site you're currently not on!) and on the response of that image two cookies are returned for that specific domain (serverfault.com): provand acct. Those two new cookies are are now bound and will be used for the domain serverfault.com.
Note:
This will only work if your browser accepts third party cookies. Safari and In Private mode of Chrome are known for rejecting these cookies by default. All major browsers allow tweaking these settings. Without allowing third-party cookies single-sign-on will not work. You'll have to authenticate in each top-level domain, aka stackoverflow, severfault, superuser, mathoverflow, askubuntu, stackapps and stackexchange.
Rinse and repeat for the other hosts.
When you later switch to serverfault.com, say to https://serverfault.com/questions your browser will send the cookies prov and acct that you received earlier when performAuth() loaded the universal.gif image from serverfault.com at the moment you logged in on stackoverflow.com.
When serverfault.com receives the prov and acct cookies the server side code looks their values up in the list of valid account cookies and if the database has those on record, a link to your profile id is established. The executing code will then conclude you have logged in before and as a result will return a page that is already authenticated. You are logged in.
You can verify above process by opening your browser and the developer console and then keep an eye on the network tab while you're logging in on one site.
