A Google Login works like this:

1) You login, normally at a login page that is under the Google.com/accounts domain.

1a) If you aren’t on the Google.com/accounts domain, it is going to forward you there after you post the form. This can be found on sites like Blogger.

Once you arrive at the Google.com/accounts domain, they do two things

2) They set a cookie(s) that is specific to the Google.com/accounts domain, that are also only able to be sent over a secure connection. This is to verify your identity later on.

I say multiple because there are several cookies bound to the google.com/accounts domain. I believe that one of these is to make sure that all doesn’t fail if secure connections aren’t allowed

3) They set a cookie that spans all the domains using .google.com as their domain, because this will make the cookie available to any domain.

4) They forward you back.

5) If it is a site on a different domain, like blogger, they send along an authorization key in the URL. The page sees it, verfies it, and sets the cookie for a different domain. A technique like this can be seen using Google’s Oauth.

Here is where that Secure Cookie comes in.

If you notice, whenever you go to a site after you close your browser, they forward you to the google.com/accounts path, where they reverify you under a secure connection, and then reset the subdomain-wide cookie. Then they send you back.

Furthermore, some sites like Google Adsense use the same technique as Google.com/accounts uses, by making a secure cookie on a specific path, and then using more global cookies to allow greater access.

Some of this is guessing, but given what a non-insider can see, I believe that is close to the truth.

Note: I literally spent like an entire month just browsing from Google Site to Google Site seeing how they did stuff. By upvoting this post, you are decreasing the sadness I have for having no life