4

I am using signed cookie to restrict access content in my S3 bucket via Cloudfront in my web based application

For example, a user can access content in s3://mys3/folder1 via http://mycf.example.com/folder1. He will not be able to access content in other folders at the same level.

Here is my problem:

The user uses my web app to access his content in s3://mys3/user1. He opens up another browser instance to access his peer's content in s3://mys3/buddy. The second browser will download a new set of signed cookie and overwritten the ones for user1. Now if he switch back to his first window, he will encounter a 'Access denied' problem.

What is the best practice to avoid this issue? e.g. Is it possible to specify multiple paths in a policy's url?

Anthony Kong
  • 33,453
  • 37
  • 154
  • 277

1 Answers1

4

You cant specify multiple paths in your policy. If you folder structure won't match the wildcard values you can use, you will probably need to generate signed cookies for each path and scope them accordingly.

You can specify for what path a cookie will work for. When you Set-Cookie, specify the path to /user1 for your first user and /user2 for your second user. Then your browser will only send them when the path's match.

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-canned-policy.html#private-content-canned-policy-signature-cookies

imperalix
  • 3,401
  • 1
  • 21
  • 17
  • 2
    I think you misunderstand my question. User1 need to access both `/user1` and `/user2` **at the same time**. The path in the policy, as far as I understand, can only be either '/user1' or '/user2'. – Anthony Kong May 02 '15 at 04:50
  • This isn't an answer. The question is about setting multiple cookies to different paths for the same browser. Not setting a single cookie for two different users on different browsers which is what this "answer" seems to assume with the notion of a "second" user. – Seivan Mar 30 '20 at 10:11
  • @AnthonyKong No, he understood your question, and his answer is likely correct. If you specify different paths in the cookie, you can keep both sets of cookies at the same time, therefore allowing access to different buckets at the same time. [See this related cookie question.](https://stackoverflow.com/questions/4056306/how-to-handle-multiple-cookies-with-the-same-name) – Cerin Apr 18 '20 at 15:28