Account switcher in browser implementation and secure design
I am trying to understand how websites implement in-browser account switcher.
e.g you can login to twitter using multiple accounts. On the bottom left when you click your currently logged in account, if you have multiple accounts, you can see them all and simply switch by clicking a different one.
How does this work? Typically, once you login, you get a session cookie. So each time you visit twitter this cookie gets sent over automatically. But in case of multiple accounts, how does the browser store these two separate cookies for the same domain ?
Is it in the same cookie ? If so, isn't that a security risk ? How does the web app switch the user session ?
I checked local/session storage and both have same data for twitter dot com. Twitter also uses Authorization header but the value is same for both accounts.
So now im kinda bummed out tryng to figure out how account switching works.
