- Newest
- Most votes
- Most comments
You may need to verify the Domain and Path attributes in Set-cookie response headers.
CloudFront returns a 403 Access Denied error if cookies are returned from CloudFront but weren't included in following requests to the same domain. In this case, check the cookie attributes Domain and Path in the Set-Cookie response header.
The Domain value is the domain name for the requested file. The Path value is the path for the requested file. *To use an alternate domain name (such as example.com) in URLs, add an alternate domain name to your distribution.
Hi @JED007,
thanks for your response!
I have had time to play around with this but unfortunately with no luck. Just to be clear, I'm signing the cookie like so:
const signedCookie = getSignedCookies({ keyPairId: awsCloudfrontKeyPairId, privateKey: awsCloudfrontPrivateKey, url: url, dateLessThan: getExpTime, });
where url=https://cloudfront.custom-domain.com/path-to-file/*
.
The lambda response is set to:
const response = { statusCode: 200, isBase64Encoded: false, body: JSON.stringify({ url: url, bucket: bucket, key: key }), headers: { "Content-Type": "application/json", "Access-Control-Allow-Origin": "*", "Access-Control-Allow-Credentials": true, "Access-Control-Allow-Methods": "OPTIONS,POST,GET", }, multiValueHeaders: { "Set-Cookie": [ `CloudFront-Expires=${signedCookie["CloudFront-Expires"]}; Domain=cloudfront.custom-domain.com; Path=/`, `CloudFront-Signature=${signedCookie["CloudFront-Signature"]}; Domain=cloudfront.custom-domain.com; Path=/`, `CloudFront-Key-Pair-Id=${signedCookie["CloudFront-Key-Pair-Id"]}; Domain=cloudfront.custom-domain.com; Path=/`, ], }, };
If I then request a file from https://cloudfront.custom-domain.com/path-to-file/video.m3u8
, the cookies are sent with the request but resulting in the 403
error. However, if I set Path=/path-to-file/*
, no cookies get sent on the request and I get the Missing Key
error.
Relevant content
- asked 6 years ago
- asked a year ago
- Accepted Answerasked 9 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago