AWS Cloudfront Signed Cookie not working on alternate domain

Question

Problem

I have Access Denied for GET request to cloudfront with signed cookies using both canned and custom policy.

Details

1. cdn.example.com is the alternate domain of abc.cloudfront.net , and CNAME is set on both cloudfront and cloudflare.
2. I expect after abc.example.com/authorize , cdn.example.com is accessible.
3. I am using PHP with Laravel behind abc.example.com/authroize , and the code is as follows.

```

$cloudFront = new Aws\CloudFront\CloudFrontClient([
    'region'  => 'us-west-2',
    'version' => '2014-11-06'
]);

$resourceKey = 'http://cdn.example.com';
$expires = time() + 300;

$signedCookieCannedPolicy = $cloudFront->getSignedCookie([
        'url'         => $resourceKey,
        'expires'     => $expires,
        'private_key' => 'pk.pem',
        'key_pair_id' => 'XXXXXXXXXXXXXX',
]);

$response = Response::success();
foreach ($signedCookieCannedPolicy as $name => $value) {
    $response->withCookie(Cookie::make($name, $value, 360, null, 'example.com'));
}

return $response;

```

4. The cookies are set for .example.com

5. When I go to cdn.example.com , the following message is shown

Thanks in advance.

Answer 1

Turns out the issue was due to the encrypted cookies. You might want to check: https://laravel.com/api/5.2/Illuminate/Cookie/CookieJar.html#method_make And if you are using Laravel 5.2, make sure you added exception if you used middleware to encrypt.