CloudFront cache policy incorrect Set-Cookie behaviour

Question

We've experienced a new issue with CloudFront. We have a cache policy set to cache for 30 seconds (min, max and default are 30 seconds) with no headers, cookies or query parameters configured. We had it like that for a few months, but we've just started having issues because it was returning a Set-Cookie header in the cached response. According to the docs, Set-Cookie headers are supposed to be removed when no cookies are configured.

This is really problematic since it means someone can receive a private cookie meant for someone else. We were only able to reproduce the issue in some regions (Europe) and we think it started somewhere around Saturday (2023-11-05).

Answer

Hi, like you wrote, CloudFront should include the Set-Cookie header if no cookies are forwarded to the origin.

To address your distribution/account-specific question, please open a [technical support ticket](https://console.aws.amazon.com/support/home#/case/create?issueType=technical). Please provide us with more details about the response, ideally the X-Amz-Cf-Id header value. You can also add the Distribution ID and path that is returning incorrect response headers.

CloudFront cache policy incorrect Set-Cookie behaviour

関連するコンテンツ