1

I have a CloudFront distribution running on a CNAME

cdn.xxx.domain.com

The app is running on

xxx.domain.com

The main app is creating three cookies for the domain cdn.xxx.domain.com

  • CloudFront-Key-Pair-Id
  • CloudFront-Signature
  • CloudFront-Policy

But when I visit cdn.xxx.domain.com the cookies are not present.

And I get the error

Missing Key-Pair-Id query parameter or cookie value

Because the cookies are not present.

I have also sent the CloudFront instance to forward all Cookies.

The origin is S3. If I turn off Restrict Viewer Access (Use Signed URLs or Signed Cookies) - then I can access the resource. So the URL I am using is correct.

Why can the cnd. subdomain not use the cookies? You can see here - they are being set in the response from the main app. Using the CDN domain.

cookies set

Only 2 cookies shown in the image, but there are 3.

Jake N
  • 10,136
  • 9
  • 57
  • 106
  • *"You can see here..."* I only see two cookies. There should be three. `CloudFront-Key-Pair-Id` is missing. – Michael - sqlbot Feb 22 '19 at 20:08
  • It is there, it is just not in the image – Jake N Feb 22 '19 at 20:08
  • The error is specifically complaining about the one that is not shown. Next, you say *"because the cookies are not present*", which seems to imply that you have confirmed that *none* of them are being sent with the request, as observed from the browser developer tools. Confirm this? – Michael - sqlbot Feb 22 '19 at 20:28
  • Yes, none of them are present on the cdn domain – Jake N Feb 22 '19 at 21:21
  • It looks as if you can't explicitly set a cookie for a subdomain from higher up in the hierarchy. https://stackoverflow.com/a/5258477/1695906 – Michael - sqlbot Feb 22 '19 at 23:09
  • Ohhhh, thanks I will try this... – Jake N Feb 25 '19 at 07:40
  • I have changed the CloudFront domain to `cdn.domain.com` and set the domain for the cookies to `.domain.com` and now they are being read. Thanks for that! But now I get Access Denied from CloudFront. No other errors. – Jake N Feb 25 '19 at 17:46
  • Is the Access Denied error XML? If no, then that error might not be from CloudFront rejecting your cookies, and I'll need to see the error. Does the XML include a ``? If yes, then that isn't from CloudFront, it's from S3, and the Origin Access Identity is the problem, not the cookies. Otherwise, I'll need to see your policy statement. – Michael - sqlbot Feb 25 '19 at 20:04
  • Ahhh. Sorted it! The URL I was using to access the resource was slightly different from that in the policy. Thanks Michael! – Jake N Feb 25 '19 at 20:50

0 Answers0