AWS cloudFront signed cookie fails intermittently for the same server

0
votes

We use AWS to store aduio/video content for our website.

We us the Signed Cookies Using a Canned Policy: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-canned-policy.html

So we have 3 cookies set for each request to retrieve the data: 

CloudFront-Policy;
CloudFront-Signature; 
CloudFront-Key-Pair-Id;

And it is used to access a resource URL like http://cloudfront.org_name.com/2016%2F7%2F1%2FStanding+Meditation_updated+91615.mp3

All three cookies are set by the server (Java-based) for each request anew to a correct pre-set value.

It all works most of the time for most of the content, but for some resources it just fails with a 403 Forbidden error.

If I open two contents (one working, one not) in separate browser tabs, all the cookies and the rest look exactly the same, except for the resource URL.

And yet - one works, while the other does not.

What is even more confusing, sometimes the same resource requested from the same physical client machine, once in FF, other time in Chrome, works in one browser but fails in other one.

Also, sometimes clearing user browser cookies works, the other time it fails, with no discernible pattern.

It's been driving me insane as I struggle to see what's wrong.

Can anyone provide any insight as to what the reason could be and what remedies could be tried?

1
javaamazon-web-servicescookiesamazon-cloudfront
We first need to establish whether the trouble is with the cookie, the URL, or the service. I'm not sure a + in a URL won't give you some trouble in CloudFront; at one time, I believed there to be a bug related to this. Are there some URLs that never work? Are there some cookies that never work? Capture the cookies and URI from a failure and you should be able to replay them with curl. - Michael - sqlbot
Thank you Michael. Using curl, i run these 2 urls, with exactly the same cookies: curl -v -b "3 cookie:value pairs go here" cloudfront.test.company_name.com/… - doesnt work; curl -v -b "3 cookie:value pairs go here" cloudfront.test.company_name.com/… - works - Nestor Milyaev

1 Answers

0
votes

Okay, the answer is in my reply to Michael:

I noticed later on that the resource URLs for working and failing content were different. Pretty close to not spot the difference on the first sight, but diffrent. Everything was the same - cookes, headers, other parameters. But I was comparing 2 different contents. First URL always worked, second always failed.

Lesson learnt: carefully curl the two resources and analyse the uRLS to see what actually is different.

A tip: use Chrome's development tools to derive curl commands: Right click on the failing URL -> Copy-> Copy as cURL. Then paste in command line to test.

BTW, we just re-uploaded the failing resource and updated the referring web page - everything works again.