Signed cookies between subdomains on CloudFront

Question

Having trouble setting a cookie (subdomain to parent) in a CloudFront configuration:

1. S3 bucket serving a static site with a CloudFront distribution. CNAME: example.com
2. API Gateway API with a custom domain: api.example.com
3. S3 bucket with a CloudFront distribution with CNAME: files.example.com

The web application on example.com contacts a lambda proxy GET method on api.example.com . This function, among other things, returns headers with values generated by AWS.CloudFront.Signer.getSignedCookies()

{
    'Set-Cookie': `CloudFront-Expires=...; Domain=.example.com`,
    'SEt-Cookie': `CloudFront-Signature=...; Domain=.example.com`,
    'SET-Cookie': `CloudFront-Key-Pair-Id=...; Domain=.example.com`
}

These are being sent to the client with the response, but for some reason are not sent in GET requests to the S3 bucket on files.example.com .

I am not certain if the issue is with the cookies being set or being sent : By looking at the application tab in chrome dev tools it seems that the cookies aren't there. However, in the network tab the cookies are indeed being sent alongside requests to api.example.com (but not with requests to files.example.com ).

As far as I can tell the configuration should work in terms of Domain cookie policy (the subdomain is attempting to set a cookie with a parent domain, under which is a different subdomain of the parent, that should receive the cookies). Any other immediate suspects for this sort of behaviour?

Answer 1

You want to use the cookie domain .example.com instead of example.com . The leading . allows subdomains to access the cookie as well.

You also need to ensure that the cookies are being forwarded to the origin in your CloudFront behavior.