I am using signed cookie to restrict access content in my S3 bucket via Cloudfront in my web based application
For example, a user can access content in s3://mys3/folder1 via http://mycf.example.com/folder1. He will not be able to access content in other folders at the same level.
Here is my problem:
The user uses my web app to access his content in s3://mys3/user1. He opens up another browser instance to access his peer's content in s3://mys3/buddy. The second browser will download a new set of signed cookie and overwritten the ones for user1. Now if he switch back to his first window, he will encounter a 'Access denied' problem.
What is the best practice to avoid this issue? e.g. Is it possible to specify multiple paths in a policy's url?
You cant specify multiple paths in your policy. If you folder structure won't match the wildcard values you can use, you will probably need to generate signed cookies for each path and scope them accordingly.
You can specify for what path a cookie will work for. When you Set-Cookie, specify the path to /user1 for your first user and /user2 for your second user. Then your browser will only send them when the path's match.