Does Amazon CloudFront pass through set-cookie headers?

Extending the excellent answer by @anthony-disanti, the (public) content to be cached can be loaded in CloudFront by executing the following steps:

  • Whitelist the specific cookie. This allows the cookie to be returned to the first viewer and send again by the first refresh.
  • Allow caching by avoiding that the Set-Cookie header is included in the cache key by using a cache-control like: public, no-cache="Set-Cookie", max-age=86400

In our case with a asp.net core application having some public web pages, response times for the public web pages went down from 120 ms to 20 ms when served from CloudFront. And when served from disk cache to 1 ms. The cookie name in this case was ".AspNetCore.Session".

When you do not forward the cookie, CloudFront will not cache since each origin response contains a set-cookie header.

When you have no means to change the behavior of the origin, you might want to consider using a Lambda@edge trigger on Origin Response such as:

'use strict';

exports.handler = (event, context, callback) => {
    const response = event.Records[0].cf.response;

    if(response.headers['cache-control'])
    {
        response.headers['cache-control'] = [{ 
            key:   'Cache-Control', 
            value: 'public, max-age=604800, no-cache="Set-Cookie"'
        }];
    }

    callback(null, response);
};

The answer isn't quite as simple as "yes" or "no." Yes, CloudFront will "pass through" set-cookie headers, but no, it will not cache the set-cookie header. This can be tested by simply uploading a test page that returns a set-cookie header with a random value and repeatedly loading the page.

CloudFront will pass along request cookies and return set-cookie headers for cookies that have been whitelisted in the "Behaviors" section of a Distribution (or all cookies if so configured). Any response that includes a set-cookie header for a whitelisted cookie will not be cached.

It should also be noted that CloudFront uses the values of any whitelisted cookies in its Object IDs for the cache objects. A particularly important case is session IDs or user-specific cookies - the user will always experience a cache miss when viewing a page for the first time, as CloudFront is using both the URL and the value of the cookie to identify the cached page.


The answer is yes, they do. They have dropdown when configuring a distribution to allow None/Whitelist/All