CloudFront signed cookie and signed url

[aldy120]

An example to use node.js SDK to create a signed cookie.

var AWS = require('aws-sdk');
var keyPairId = 'APKAJUPFSD54Z45KA2GA';
var privateKey = `-----BEGIN RSA PRIVATE KEY-----
xxx
...
xxx
-----END RSA PRIVATE KEY-----
`;
var signer = new AWS.CloudFront.Signer(keyPairId, privateKey);

var options = {
    url: 'https://d1ghhe2lbg7079.cloudfront.net/index.html',
    expires: 1349271750000
}

var signedCookies = signer.getSignedCookie(options);

var signedUrl = signer.getSignedUrl(options);

console.log({signedCookies, signedUrl});

/*
{ signedCookies:
   { 'CloudFront-Expires': 1349271750000,
     'CloudFront-Key-Pair-Id': 'APKAJUPFSD54Z45KA2GA',
     'CloudFront-Signature':
      'GHAYqvAtMiKi1c4WJ9sZZVtV-8LvJd5UtYXVsVXuu~8qgvtglF9jx2wqZbiz~4gRvZqr-lzIsukP32AelCXpCAkVsTyD8W0cStFgsDpCD~BCxCfgfMyL5Wj8HmF-1Zv0ZJFBWHTWkM1dYzfqniVv4L8qzyuYnHl5~VyhEkCk5haOfEE2f64OuK8391yY6fa8kf4YTxXoWQtqeOHBcPEzPES2pUk-7kWgNd0VWCdNF4kIJarsdc3Wj8Meb~aZLRfqZ5X7mTk~sFwCaYXyLMFDzbWSqzahrt9g9VO3AZpQGMOSgzraRKjvTCq9jgSfu7dpPvVRjW7lujTG-ZnRZ59GZQ__' },
  signedUrl:
   'http://d1ghhe2lbg7079.cloudfront.net/?Expires=1349271750000&Key-Pair-Id=APKAJUPFSD54Z45KA2GA&Signature=GHAYqvAtMiKi1c4WJ9sZZVtV-8LvJd5UtYXVsVXuu~8qgvtglF9jx2wqZbiz~4gRvZqr-lzIsukP32AelCXpCAkVsTyD8W0cStFgsDpCD~BCxCfgfMyL5Wj8HmF-1Zv0ZJFBWHTWkM1dYzfqniVv4L8qzyuYnHl5~VyhEkCk5haOfEE2f64OuK8391yY6fa8kf4YTxXoWQtqeOHBcPEzPES2pUk-7kWgNd0VWCdNF4kIJarsdc3Wj8Meb~aZLRfqZ5X7mTk~sFwCaYXyLMFDzbWSqzahrt9g9VO3AZpQGMOSgzraRKjvTCq9jgSfu7dpPvVRjW7lujTG-ZnRZ59GZQ__' }

   Set-Cookie: Domain=d1ghhe2lbg7079.cloudfront.net; Path=/index.html; Secure; HttpOnly; CloudFront-Policy=undefined;
   Set-Cookie: Domain=d1ghhe2lbg7079.cloudfront.net; Path=/index.html; Secure; HttpOnly; CloudFront-Signature=MtWwHoEGEYuqEzpF8sYOSuVL48hpiwRP4SXjoi0MqUSMQl9xdDlTKQmQnSU-9j56Ic2AeCzqWrav2hFG6jx2A0Ww9zew0vD47FELrJqdCeQcyftpbV~E3rW0sHo19NbYv8GZqf6bAVpp~1Y5QsxFxlTpyASmX4ll48ss6ApZnNLX2kKpILsIbUsyCqiWJN-s3OSNJwMYMktxzwQXlK4vwdFfsQ54v~wJp5xP3gZEF8IcKLDDJyWCXSlvy2jgqFmpJqGLrtjPSQMmRlWcJ6-1kiLwljHMwxLtgH-FyDMFHiIqQWfBFhr435yeQ3lWHE0790mq~aejOJbsEGJ47nwueg__;
   Set-Cookie: Domain=d1ghhe2lbg7079.cloudfront.net; Path=/index.html; Secure; HttpOnly; CloudFront-Key-Pair-Id=APKAJUPFSD54Z45KA2GA;
*/

[aldy120]

Domain in Cookies

You can make browser to store a cookie by using Set-Cookie header in HTTP response. If the domain is specify in the Set-Cookie header, then this cookie can also be sent when you visit all the subdomain.

For example, If Set-Cookie: a=1; Domain=example.com in a response headers, the next request to example.com, photo.example.com or tw.photo.example.com will carry this cookie a=1 to your host.

[aldy120]

The cookie name-value pair must be in the first place of Set-Cookie header.

For example, Set-Cookie: a=1; Domain=example.com works, but Set-Cookie: Domain=example.com a=1; does not work.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

[aldy120]

CloudFront custom policy can specify only one CIDR.

[aldy120]

Some tips for cookies

• You can only set cookie for current domain or parent domains.
• http-only means you cannot control cookies by JavaScript
• secure means it only send by HTTPS
• If you don't specify domain, it will not send for subdomains.