I have a Java Spring Boot application for a REST API deployed in AWS Elastic Beanstalk. It is HTTP not HTTPS.
Let's call it http://foobar.elasticbeanstalk.com/api.
I am using a AWS CloudFront distribution to terminate HTTPS, but not to cache anything (I have set my Cache Policy to "Managed-CachingDisabled".
Let's call it https://dfoobar123.cloudfront.net.
There are some APIs that require the client to be "logged in". There is one call, /login which results in a ACCESS_TOKEN being returned in the response cookie. Subsequent calls have to include that access token to be successful.
The app directly is all OK. When I go to http://foobar.elasticbeanstalk.com/api/login (Elastic Beanstalk app directly), the server logs me in and returns the cookie.
But, when I go to the CloudFrontDistribution, https://dfoobar123.cloudfront.net/api/login, I can see the server authenticating me, but I do not get the cookie back in the response headers.
What setting do I need to turn on in CloudFront to enable this?
You need to forward cookies in the cache behavior. Without it, CloudFront removes the Set-Cookie header from the response.
Here's the documentation:
You can configure each cache behavior to do one of the following:
...
Don’t forward cookies to your origin – CloudFront doesn’t cache your objects based on cookie sent by the viewer. In addition, CloudFront removes cookies before forwarding requests to your origin, and removes Set-Cookie headers from responses before returning responses to your viewers.