New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature/cloudfront/sign: allow setting cookie expiration in CookieOptions #1122
feature/cloudfront/sign: allow setting cookie expiration in CookieOptions #1122
Conversation
@skmcgrail it seems I'm unable to add any reviewers - mind if I get some eyes on this PR? Added you because I saw that you review most of these |
bumping @jasdel @skotambkar as well |
Out of curiosity what is the typical relation to the cookie expiration time, and the content policy expiration time in practice. I see that the intention of this PR is to add the option for setting cookie expiration time. Is there a time where the canned policy expiration time, and the cookie expiration time should be different? Should the expiration time already passed into the |
To follow up as well I see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-canned-policy.html notes that |
The link you included pretty much explains the use case - session cookies are wiped if you close a browser, while persistent cookies (created by specifying either Expires or Max-age) aren't wiped until they expire. Persistent cookies can provide a better user experience (they last between browser sessions), but do provide a slightly greater security risk - the same risk as having persistent authentication cookies to bypass logging into your favorite sites. The relationship between the canned policy expiration time and the cookie expiration is one I would think of as: cookie expiration <= canned policy expiration. In a lot of cases I would think it'd be the same, but I could see a use case where perhaps you want to give a user access to a VOD for an entire week, but only allow their cookies to exist for a few hours, forcing them to re-authenticate after a certain time. The cookie expiration shouldn't ever be greater than the policy expiration - it'd be quite useless because you'd just get hit with a 403 anyways. The All that being said, I opened this PR while I was implementing Cloudfront for my backend because I noticed it'd be cleaner to have all the cookie properties set through one interface - it's trivial to set the cookie expiration by hand (an additional 2 lines of code maybe?), so I don't see this PR as recommending persistent cookies over session cookies. It just gives the end-users the ability to create both entirely through the AWS SDK. If we want to force users to do it by hand because AWS recommends only using session cookies, we can close this out, that's fine by me :) |
Closing this out since it's gone stale |
This PR is a simple change that allows end users to specify the cookie expiration through CookieOptions. This makes it easier to return a persistent cookie to the client with an expiration equal to that used in a Canned Policy.