Cloudflare uses the _cflb, _cf_bm, and _cfduid, cookies to maximize network resources, manage traffic, and protect our Customers’ sites from malicious traffic.
_cflb cookie for Cloudflare Load Balancer session affinity
When enabling session affinity with Cloudflare Load Balancer, Cloudflare sets a _cflb cookie with a unique value on the first response to the requesting client. Cloudflare routes future requests to the same origin, optimizing network resource usage. In the event of a failover, Cloudflare sets a new _cflb cookie to direct future requests to the failover pool.
The _cflb cookie allows us to return an End User to the same Customer origin for a specific period of time (Customer-configured), which in turn allows the Customer origin to maintain an End User’s experience seamlessly (for example, keeping an End User’s items in a shopping cart while they continue to navigate around the website). This cookie is a session cookie that lasts anywhere from several seconds up to 24 hours.
_cf_bm cookie for Cloudflare Bot Management
The _cf_bm cookie supports Cloudflare Bot Management by managing incoming traffic that matches criteria associated with bots. The cookie does not collect any personal data, and any information collected is subject to one-way encryption. This encrypted file contains Cloudflare’s proprietary bot score and helps manage incoming traffic that matches specific criteria.
Cloudflare places the _cf_bm cookie on the devices of our Customers' End Users when End Users visit Customer sites that are using Cloudflare Bot Management. If the End User passes a challenge, the cookie prevents additional challenges for up to 30 minutes. This cookie is a session cookie that lasts for up to 30 minutes from the time an End User connects with the site.
Cloudflare Customers can turn off the _cf_bm cookie by disabling Cloudflare Bot Management.
_cfduid cookie for identifying individual visitors privately
The _cfduid cookie helps Cloudflare detect malicious visitors to our Customers’ websites and minimizes blocking legitimate users. It may be placed on the devices of our customers' End Users to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It is necessary for supporting Cloudflare's security features.
Privacy and the _cfduid cookie
The _cfduid cookie collects and anonymizes End User IP addresses using a one-way hash of certain values so they cannot be personally identified. The cookie is a session cookie that expires after 30 days.
The _cfduid cookie does not:
- allow for cross-site tracking,
- follow users from site to site by merging various _cfduid identifiers into a profile, or
- correspond to any user ID in a Customer’s web application.
Generally, Cloudflare keeps user-level data (including the IP address of a requester) for less than 24 hours for domains in the Free, Pro and Business plans, and up to seven (7) days for Enterprise domains that have enabled Cloudflare Logs (formerly Enterprise LogShare or ELS). There may be exceptions with IP addresses that have triggered security alerts. You can find more information about what Cloudflare logs in this blog post.
Cloudflare has no control over how long a Customer may store downloaded Cloudflare Logs in their networks. Regarding any information that may live in cached content on our edge servers, our Customers control what data should be cached and for how long.
__cfduid and Always Use HTTPS
The Always use HTTPS setting redirects all requests with HTTP scheme to HTTPS. This applies to all HTTP requests to the domain. Customers can find this option in the SSL/TLS app of the Cloudflare dashboard.
Below are examples of the __cfduid cookie based on the domain's Always Use HTTPS setting.
If Always Use HTTPS = True, then:
Set-Cookie: __cfduid=de73c7e08a3753ac6b2fc84a838098dd91524036568; expires=Thu, 18-Apr-19 07:29:28 GMT; path=/; domain=.domain.com; HttpOnly; Secure
If Always Use HTTPS = False then:
Set-Cookie: __cfduid=dbed136878a72f4a881e70c74fcf4b3411524036444; expires=Thu, 18-Apr-19 07:27:24 GMT; path=/; domain=.domain.com; HttpOnly
If your domain uses the Cloudflare Managed CNAME service, __cfduid cookies will always be non-secure even when Always use HTTPS is enabled. Cloudflare guarantees always using HTTPS if your DNS resolution is fully managed within Cloudflare. As such under a Managed CNAME situation, it is necessary for __cfduid cookies to be non-secure so that your users can be identified over either HTTP or HTTPS access.
__cfduid cookie and Rate Limiting
The __cfduid cookie is only used when customers utilize a specific Enterprise feature within the Rate Limiting feature.
Enterprise customers may request to disable the _cfduid cookie by contacting Cloudflare Support, but Cloudflare’s ability to detect and mitigate the impact of malicious visitors to a Customer’s website will be significantly impacted. While some speed recommendations suggest eliminating cookies for static resources, the performance implications are minimal.