0

I am pretty inexperienced with AWS and I have an app that uses a JWT token stored in a cookie to log in users. On page load, a GET request is made to the backend, the backend verifies the token and redirects the user to the dashboard page, which can only be accessed with a valid token. If there's no token, the backend returns a 400 error and the user stays on the home page. This works flawlessly on my local machine but not when I host the project on AWS. I believe there are no problems with how it's hosted because the backend does receive the GET request from the frontend, just without cookies, and I am adding credentials with it. The documentation talks about a Forward Cookies option and so does this video by AWS but the console has since changed and this option is no longer available. The second answer in this post suggests that the right way to do it is via custom cache and origin request policies in a distribution behavior but the example given doesn't match my use case and I haven't been able to get it working. I have tried editing the distribution behaviour and both setting "Cookies" to "All" in the legacy cache settings and using custom cache and origin request policies with the same setting but nothing works.

Axios GET request:

axios
  .get(`${backendURL}/isUser`, {
    withCredentials: true,
  })
  .then(() => router.push("/dashboard"))
  .catch((error: AxiosError) => console.error(error))

Development (left) and production (right) requests Development (left) and production (right) requests

Distribution behavior unchanged (just HTTP to HTTPS redirection) Distribution behavior unchanged (just HTTP to HTTPS redirection)

Alberto Vilches
  • 303
  • 1
  • 5
  • 16

3 Answers3

1

This has nothing to do with AWS and everything to do with how you are setting your cookie. You can't set a cookie from your "backend", so that your "front-end" will return it, unless they are on the same subdomain, and the cookie domain setting is set correctly.

Warren Parad
  • 3,910
  • 1
  • 20
  • 29
1

I had some similar issues with cookies. @Warren is actually correct here. If you want to access cookies, you'll have to setup same subdomains for your client and server applications.

However, I tried something earlier and this may work (not sure)

Map the S3 link (client) and server to cloudfront domains. This will make both the domains secure with https. (select a CF certificate, the default one). Now, set the following thing on the server side while setting cookies:

  1. httpOnly: true
  2. sameSite: none
  3. secure: true

This should work I guess, give it a try. Other cloudfront setting you can change has been attached. (That is what I did)

enter image description here

Raghav Mishra
  • 429
  • 6
  • 15
1

I didn't mention on my post that I was setting the cookies on the frontend of my app, hosted at https://abcdef1234.cloudfront.net/, and trying to send the cookies to my backend, at https://api.mydomain.com/. I didn't think this was an issue but it turns out it is. To get it working, I have had to change my CloudFront distribution to use https://myapp.mydomain.com/ and the backend to set the cookie itself.

Alberto Vilches
  • 303
  • 1
  • 5
  • 16