Only a few weeks back AWS’ CloudFront announced the use of signed cookies to secure access to private content.<\/p>\n
Getting signed cookies to work with CloudFront in my particular test scenario made me trip over a couple of foot falls that were partially caused by my lack of CloudFront knowledge and partially because the documentation wasn’t helping.<\/p>\n
The highlight: Do not use PHP setcookie<\/strong><\/p>\n PHP setcookie encodes the signed cookie and that will break the signature. The signature process already encodes the signature anyway. The below code example uses Other more obvious things:<\/p>\n The simple case would be that you use a CNAME for CloudFront distribution which means that your website and your CloudFront distribution can share cookies.<\/p>\n In my case I have not yet set up the CNAME nor got the SSL certificate for it. The browser would reject any ‘cloudfront.net’ cookies that do not come from a ‘cloudfront.net’ domain. Therefore I have a two step approach to be able to set a .cloudfront.net cookie.<\/p>\n When a user loads a gallery the browser loads gallery.xml directly from example.com, this forces authentication.<\/p>\n The following CloudFrontSignedCookieHelper.php code would also work for the more appropriate CNAME scenario as part of the first authentication.<\/p>\n Apart from Making use of the new CloudFront signed cookie functionality Continue reading header()<\/code> for that reason.<\/p>\n\n
\n
\n
\/\/dsmxmpl.cloudfront.net\/CloudFrontSignedCookieHelper.php<\/code>.<\/li>\nisAuthorized()<\/code> this is a working example. You can handle the authentication many different ways so I don’t elaborate.<\/p>\n<?php\n\/** \n* site.secrets.php sets CLOUDFRONT_KEY_PAIR_ID and CLOUDFRONT_KEY_PATH as well as CDN_HOST \n* e.g. \n\/\/ define('CLOUDFRONT_KEY_PAIR_ID' , 'APSOMEOROTHERA')\n\/\/ define('CLOUDFRONT_KEY_PATH' , '\/etc\/secrets\/pk.APSOMEOROTHERA.pem')\n\/\/ define('CDN_HOST' , 'dsmxmpl.cloudfront.net')\n*\/\nrequire_once ('\/etc\/secrets\/site.secrets.php');\n\nclass CloudFrontSignedCookieHelper {\n public static function rsa_sha1_sign($policy, $private_key_filename) {\n $signature = \"\";\n openssl_sign ( $policy, $signature, file_get_contents ( $private_key_filename ) );\n return $signature;\n }\n public static function url_safe_base64_encode($value) {\n $encoded = base64_encode ( $value );\n return str_replace ( array ('+','=','\/'), array ('-','_','~'), $encoded );\n }\n public static function getSignedPolicy($private_key_filename, $policy) {\n $signature = CloudFrontSignedCookieHelper::rsa_sha1_sign ( $policy, $private_key_filename );\n $encoded_signature = CloudFrontSignedCookieHelper::url_safe_base64_encode ( $signature );\n return $encoded_signature;\n }\n public static function getNowPlus2HoursInUTC() {\n $dt = new DateTime ( 'now', new DateTimeZone ( 'UTC' ) );\n $dt->add ( new DateInterval ( 'P1D' ) );\n return $dt->format ( 'U' );\n }\n public static function setCookie($name, $val, $domain) {\n \/\/ using our own implementation because\n \/\/ using php setcookie means the values are URL encoded and then AWS CF fails\n header ( \"Set-Cookie: $name=$val; path=\/; domain=$domain; secure; httpOnly\", false );\n }\n public static function setCloudFrontCookies() {\n $cloudFrontHost = CDN_HOST;\n $cloudFrontCookieExpiry = CloudFrontSignedCookieHelper::getNowPlus2HoursInUTC ();\n $customPolicy = '{\"Statement\":[{\"Resource\":\"https:\/\/' . $cloudFrontHost .\n '\/*\",\"Condition\":{\"DateLessThan\":{\"AWS:EpochTime\":' . $cloudFrontCookieExpiry . '}}}]}';\n $encodedCustomPolicy = CloudFrontSignedCookieHelper::url_safe_base64_encode ( $customPolicy );\n $customPolicySignature = CloudFrontSignedCookieHelper::getSignedPolicy ( CLOUDFRONT_KEY_PATH, \n $customPolicy );\n CloudFrontSignedCookieHelper::setCookie ( \"CloudFront-Policy\", $encodedCustomPolicy, $cloudFrontHost);\n CloudFrontSignedCookieHelper::setCookie ( \"CloudFront-Signature\", $customPolicySignature, $cloudFrontHost);\n CloudFrontSignedCookieHelper::setCookie ( \"CloudFront-Key-Pair-Id\", CLOUDFRONT_KEY_PAIR_ID, $cloudFrontHost);\n }\n}\n\nif (isAuthorized()){\n CloudFrontSignedCookieHelper::setCloudFrontCookies ();\n}\n?>\nvar cloudFrontCookieSet=true;\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"