Cloudfront is forwarding cookies when it was suppose not to

Question

I have set a Cloudfront origin request policy with no cookie.
But Cloudfront is sending the cookies to the origin anyways.
Here is the data obtained on Webpagetest for request (https://www.webpagetest.org/result/220816_BiDcWR_ACG/1/details/#waterfall_view_step1):
===

```
:authority: fisiculturismo.com.br
:method: GET
:path: /applications/core/interface/font/fontawesome-webfont.woff2?v=4.7.0
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: AWSALB=V+qLZCNbjEfbsPzZCvXjy8lR1d7lJw+6Qz1bNnwYg3ri9BdDQEtMndfBsf/Hz6jHSj9ffTMEA4MsyUU2es6+KXvX4j590g0Rnn2XevQuROzwR/vyxmaPt32qn142; AWSALBCORS=V+qLZCNbjEfbsPzZCvXjy8lR1d7lJw+6Qz1bNnwYg3ri9BdDQEtMndfBsf/Hz6jHSj9ffTMEA4MsyUU2es6+KXvX4j590g0Rnn2XevQuROzwR/vyxmaPt32qn142; ips4_IPSSessionFront=fi6hu5jv1pl00tp6jshi3uf2ka
origin: https://fisiculturismo.com.br
referer: https://fisiculturismo.com.br/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="104", "Google Chrome";v="104"
sec-ch-ua-mobile: ?1
sec-ch-ua-platform: "Android"
sec-fetch-dest: font
sec-fetch-mode: cors
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Linux; Android 8.1.0; Moto G (4)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.79 Mobile Safari/537.36 PTST/220727.131331
customize waterfall • Vie
```

===
As long as there is a session cookie, the response miss the Cloudfront cache:
===

```
accept-ranges: bytes
cache-control: max-age=2592000, public
content-length: 77160
content-type: application/font-woff2
date: Tue, 16 Aug 2022 14:33:40 GMT
etag: "12d68-5e3c8209e1ce0"
expires: Thu, 15 Sep 2022 14:33:40 GMT
last-modified: Thu, 14 Jul 2022 18:32:43 GMT
server: Apache/2.4.54 (Ubuntu)
set-cookie: AWSALB=ldcCFgF+iJ0E/9dkC7wI4cjnuEVQbpZIdhNTudEvrd2RNGyXq1KOUVxtocvI6fgV6ZgUUbC34vikqmDhDGNxJuswDudtAo0P8RpZDyi/k2/Njzu5uQUSS0REf8QM; Expires=Tue, 23 Aug 2022 14:33:40 GMT; Path=/
set-cookie: AWSALBCORS=ldcCFgF+iJ0E/9dkC7wI4cjnuEVQbpZIdhNTudEvrd2RNGyXq1KOUVxtocvI6fgV6ZgUUbC34vikqmDhDGNxJuswDudtAo0P8RpZDyi/k2/Njzu5uQUSS0REf8QM; Expires=Tue, 23 Aug 2022 14:33:40 GMT; Path=/; SameSite=None; Secure
:status: 200
```

===
Why Cloudfront is forwarding the cookies to the origin (ELB cookies and APP cookie) if it was set not to?

Answer

You mention that your Origin Request policy is not configured to forward cookies, but what about your Cache policy? If cookies are included in the cache policy, they will automatically be forwarded to the origin. Please refer to https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html for details on Cache policy.

Answer

I think the problem here was related to another question that you asked - the DNS records for your domain did not point to CloudFront, so requests were being made directly to the ALB. This is evident in the response headers above - if the request had been handled by CloudFront then the Server response header would have a value of 'CloudFront' and you'd also have CloudFront specific headers like x-amz-cf-id, x-amz-cf-pop and x-cache. It looks like your DNS is now correctly configured so I expect you are no longer experiencing this issue.

Cloudfront is forwarding cookies when it was suppose not to

I have set a Cloudfront origin request policy with no cookie. But Cloudfront is sending the cookies to the origin anyways. Here is the data obtained on Webpagetest for request (https://www.webpagetest.org/result/220816_BiDcWR_ACG/1/details/#waterfall_view_step1):

=== As long as there is a session cookie, the response miss the Cloudfront cache:

관련 콘텐츠