Setting signed cookies using a canned policy - Amazon CloudFront

Setting signed cookies using a canned policy

To set a signed cookie by using a canned policy, complete the following steps. To create the signature, see Creating a signature for a signed cookie that uses a canned policy.

The following example shows Set-Cookie headers for one signed cookie when you're using the domain name that is associated with your distribution in the URLs for your files:

Set-Cookie: CloudFront-Expires=1426500000; Domain=d111111abcdef8.cloudfront.net; Path=/images/*; Secure; HttpOnly Set-Cookie: CloudFront-Signature=yXrSIgyQoeE4FBI4eMKF6ho~CA8_; Domain=d111111abcdef8.cloudfront.net; Path=/images/*; Secure; HttpOnly Set-Cookie: CloudFront-Key-Pair-Id=K2JCJMDEHXQW5F; Domain=d111111abcdef8.cloudfront.net; Path=/images/*; Secure; HttpOnly

The following example shows Set-Cookie headers for one signed cookie when you're using the alternate domain name example.org in the URLs for your files:

Set-Cookie: CloudFront-Expires=1426500000; Domain=example.org; Path=/images/*; Secure; HttpOnly Set-Cookie: CloudFront-Signature=yXrSIgyQoeE4FBI4eMKF6ho~CA8_; Domain=example.org; Path=/images/*; Secure; HttpOnly Set-Cookie: CloudFront-Key-Pair-Id=K2JCJMDEHXQW5F; Domain=example.org; Path=/images/*; Secure; HttpOnly

If you want to use an alternate domain name such as example.com in URLs, you must add the alternate domain name to your distribution regardless of whether you specify the Domain attribute. For more information, see Alternate domain names (CNAMEs) in the topic Values that you specify when you create or update a distribution.

Creating a signature for a signed cookie that uses a canned policy

To create the signature for a signed cookie that uses a canned policy, do the following:

Creating a policy statement for a signed cookie that uses a canned policy

When you set a signed cookie that uses a canned policy, the CloudFront-Signature attribute is a hashed and signed version of a policy statement. For signed cookies that use a canned policy, you don't include the policy statement in the Set-Cookie header, as you do for signed cookies that use a custom policy. To create the policy statement, complete the following steps.

To create a policy statement for a signed cookie that uses a canned policy
  1. Construct the policy statement using the following JSON format and using UTF-8 character encoding. Include all punctuation and other literal values exactly as specified. For information about the Resource and DateLessThan parameters, see Values that you specify in the policy statement for a canned policy for signed cookies.

    { "Statement": [ { "Resource": "base URL or stream name", "Condition": { "DateLessThan": { "AWS:EpochTime": ending date and time in Unix time format and UTC } } } ] }
  2. Remove all white space (including tabs and newline characters) from the policy statement. You might have to include escape characters in the string in application code.

Values that you specify in the policy statement for a canned policy for signed cookies

When you create a policy statement for a canned policy, you specify the following values:

Resource

The base URL including your query strings, if any, for example:

https://d111111abcdef8.cloudfront.net/images/horizon.jpg?size=large&license=yes

You can specify only one value for Resource.

Note the following:

  • Protocol – The value must begin with http:// or https://.

  • Query string parameters – If you have no query string parameters, omit the question mark.

  • Alternate domain names – If you specify an alternate domain name (CNAME) in the URL, you must specify the alternate domain name when referencing the file in your webpage or application. Do not specify the Amazon S3 URL for the file.

DateLessThan

The expiration date and time for the URL in Unix time format (in seconds) and Coordinated Universal Time (UTC). Do not enclose the value in quotation marks.

For example, March 16, 2015 10:00 am UTC converts to 1426500000 in Unix time format.

This value must match the value of the CloudFront-Expires attribute in the Set-Cookie header. Do not enclose the value in quotation marks.

For more information, see When does CloudFront check the expiration date and time in a signed cookie?.

Example policy statement for a canned policy

When you use the following example policy statement in a signed cookie, a user can access the file https://d111111abcdef8.cloudfront.net/horizon.jpg until March 16, 2015 10:00 am UTC:

{ "Statement": [ { "Resource": "https://d111111abcdef8.cloudfront.net/horizon.jpg?size=large&license=yes", "Condition": { "DateLessThan": { "AWS:EpochTime": 1426500000 } } } ] }

Signing the policy statement to create a signature for a signed cookie that uses a canned policy

To create the value for the CloudFront-Signature attribute in a Set-Cookie header, you hash and sign the policy statement that you created in To create a policy statement for a signed cookie that uses a canned policy.

For additional information and examples of how to hash, sign, and encode the policy statement, see the following topics: