Several workarounds were available available, scripts for instance, the option to use different web browsers, or a web browser’s private browsing mode, to access multiple Google accounts at once.

All this has become easier with the recent Google addition of multiple sign-ins. The multiple sign-in option basically allows Google account owners to define multiple Google emails and passwords, so that they can be used to access Google services simultaneously.

Lets take a closer look at how this works, before we detail the things that you need to know about this new multiple login feature.

Visit google.com, or the country top level domain of your choice, and click the Sign In button at the top right. Once you are signed in, click on Settings, and select Google Account Settings from the listing.

Locate the Personal Settings block on the page, and the Multiple Sign-in parameter at the end of it.

google multiple sign-in

A click on change displays a page filled with information about the multiple sign-in feature. Google states that multiple-sign in is an advanced feature, with certain limitations.

google accounts

Google Multiple Sign-In Information

• Multiple Sign-In is currently only supported by the following Google products: Calendar, Code, Gmail, Reader, Sites, Google Docs and Google Voice. New Google services are likely to be added soon.
• Not all Google account holders have yet access to the multiple sign-in feature, or some of the services that offer it
• Google’s URLs now include a different number for each account: http://mail.google.com/mail/u/0/, http://mail.google.com/mail/u/1/
• The Google account may change when switching from a service that supports multiple sign-ins to one that does not.
• Most Google products will default to the first account used to sign in in a web browsing session, which may not be the account the user wants to access on the Google service website.
• Offline Mail and Offline Calendar will be disabled, unsent mail be lost in the process.
• The multiple sign-in feature is not yet supported on mobile devices
• Enabling multiple sign-in for your accounts may cause some of the gadgets you’re using with Google products to stop working properly.
• After enabling multiple sign-in for Google Calendar, Google Calendar Connector will not work properly. Google Apps domains that user Google Calendar Connectors to receive data from exchange will not be able to do so during this test period
• The Google Code downloads server does not yet handle multiple sign-in. It will always treat an uploaded file as coming from your default account (the first account that you signed in to).
• If you are using multiple sign-in and also using the Google Reader ‘Note in Reader’ bookmarklet, any posts your share through a bookmarklet will automatically share to the first account you signed into, the default account.
• Signing In with a new account for the first time will enable the multiple sign-in option for that account as well, Google displays a warning page with an option to opt out before doing so.

gmail multiple sign-in

It may be required to log out of all accounts once, before the multiple sign-in feature becomes available after making the changes.

Google users should from then on see a drop down next to the email address in the top line on supported Google services. A click on that displays the option to sign in with another Google account, so that it becomes possible to switch between accounts without logging out and in first. (via)

At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. A user who is authenticated by a cookie saved in the user’s web browser could unknowingly send an HTTP request to a site that trusts the user and thereby causes an unwanted action. (source Wikipedia)

Google has (finally) started to implement cross-site request forgery protections to protect Google users and their online services according to an article posted at the Register.

Sometime in the last three days, Google’s login pages began setting a cookie with a unique token on each user’s browser, according to Mike Bailey, a senior researcher for Foreground Security. That same value is also embedded into the login form. If the two don’t match, the user will be unable to log in.

Security experts have criticized Google in the past for not implementing a cross-site request forgery protection. Google engineers were quick to close security vulnerabilities that were caused by this attack type but did not implement a generic protection against these types of attacks.