Cloudfront is forwarding cookies when it was suppose not to


I have set a Cloudfront origin request policy with no cookie. But Cloudfront is sending the cookies to the origin anyways. Here is the data obtained on Webpagetest for request (

:method: GET
:path: /applications/core/interface/font/fontawesome-webfont.woff2?v=4.7.0
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: AWSALB=V+qLZCNbjEfbsPzZCvXjy8lR1d7lJw+6Qz1bNnwYg3ri9BdDQEtMndfBsf/Hz6jHSj9ffTMEA4MsyUU2es6+KXvX4j590g0Rnn2XevQuROzwR/vyxmaPt32qn142; AWSALBCORS=V+qLZCNbjEfbsPzZCvXjy8lR1d7lJw+6Qz1bNnwYg3ri9BdDQEtMndfBsf/Hz6jHSj9ffTMEA4MsyUU2es6+KXvX4j590g0Rnn2XevQuROzwR/vyxmaPt32qn142; ips4_IPSSessionFront=fi6hu5jv1pl00tp6jshi3uf2ka
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="104", "Google Chrome";v="104"
sec-ch-ua-mobile: ?1
sec-ch-ua-platform: "Android"
sec-fetch-dest: font
sec-fetch-mode: cors
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Linux; Android 8.1.0; Moto G (4)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.79 Mobile Safari/537.36 PTST/220727.131331
customize waterfall • Vie

=== As long as there is a session cookie, the response miss the Cloudfront cache:

accept-ranges: bytes
cache-control: max-age=2592000, public
content-length: 77160
content-type: application/font-woff2
date: Tue, 16 Aug 2022 14:33:40 GMT
etag: "12d68-5e3c8209e1ce0"
expires: Thu, 15 Sep 2022 14:33:40 GMT
last-modified: Thu, 14 Jul 2022 18:32:43 GMT
server: Apache/2.4.54 (Ubuntu)
set-cookie: AWSALB=ldcCFgF+iJ0E/9dkC7wI4cjnuEVQbpZIdhNTudEvrd2RNGyXq1KOUVxtocvI6fgV6ZgUUbC34vikqmDhDGNxJuswDudtAo0P8RpZDyi/k2/Njzu5uQUSS0REf8QM; Expires=Tue, 23 Aug 2022 14:33:40 GMT; Path=/
set-cookie: AWSALBCORS=ldcCFgF+iJ0E/9dkC7wI4cjnuEVQbpZIdhNTudEvrd2RNGyXq1KOUVxtocvI6fgV6ZgUUbC34vikqmDhDGNxJuswDudtAo0P8RpZDyi/k2/Njzu5uQUSS0REf8QM; Expires=Tue, 23 Aug 2022 14:33:40 GMT; Path=/; SameSite=None; Secure
:status: 200

=== Why Cloudfront is forwarding the cookies to the origin (ELB cookies and APP cookie) if it was set not to?

asked 3 months ago33 views
2 Answers

You mention that your Origin Request policy is not configured to forward cookies, but what about your Cache policy? If cookies are included in the cache policy, they will automatically be forwarded to the origin. Please refer to for details on Cache policy.

answered 3 months ago
  • Cache policy was also no cookie. To leave no doubt, I have tested again with Managed-CachingOptimized for caching and no policy for origin request and response headers. Same issue with cookies being fowarded.


I think the problem here was related to another question that you asked - the DNS records for your domain did not point to CloudFront, so requests were being made directly to the ALB. This is evident in the response headers above - if the request had been handled by CloudFront then the Server response header would have a value of 'CloudFront' and you'd also have CloudFront specific headers like x-amz-cf-id, x-amz-cf-pop and x-cache. It looks like your DNS is now correctly configured so I expect you are no longer experiencing this issue.

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions