Cloudflare uses the __cflb and __cf_bm cookies to maximize network resources, manage traffic, and protect our Customers’ sites from malicious traffic.

Overview

The __cflb, __cf_bm, __cf_ob_info and __cf_use_ob, and __cfwaitingroom cookies are strictly necessary to provide the services requested by our Customers (as defined in our Privacy Policy), as we explain in more detail below.

Cloudflare encourages our Customers to disclose the use of these cookies to their End-Users (as defined in our Privacy Policy), and in some jurisdictions, Customers may be required to disclose these cookies to End Users.

Cookie data is processed in Cloudflare's data center in the United States and is subject to the cross-border data transfer section (section 7) of the Cloudflare Privacy Policy.

*__cflb* cookie for Cloudflare Load Balancer session affinity

When enabling session affinity with Cloudflare Load Balancer, Cloudflare sets a __cflb cookie with a unique value on the first response to the requesting client. Cloudflare routes future requests to the same origin, optimizing network resource usage. In the event of a failover, Cloudflare sets a new __cflb cookie to direct future requests to the failover pool.

The __cflb cookie allows us to return an End User to the same Customer origin for a specific period of time (Customer-configured), which in turn allows the Customer origin to maintain an End User’s experience seamlessly (for example, keeping an End User’s items in a shopping cart while they continue to navigate around the website). This cookie is a session cookie that lasts anywhere from several seconds up to 24 hours.

*__cf_bm* cookie for Cloudflare bot products

Cloudflare's bot products identify and mitigate automated traffic to protect your site from bad bots. Cloudflare places the __cf_bm cookie on End User devices that access Customer sites that are protected by Bot Management or Bot Fight Mode. The __cf_bm cookie is necessary for the proper functioning of these bot solutions.

This cookie expires after (at most) 30 minutes of continuous inactivity by the End User. The cookie contains information related to the calculation of Cloudflare’s proprietary bot score and, when Anomaly Detection is enabled on Bot Management, a session identifier. The information in the cookie (other than time-related information) is encrypted and can only be decrypted by Cloudflare.

A separate __cf_bm cookie is generated for each site that an End User visits, and Cloudflare does not follow users from site to site or from session to session by merging various __cf_bm identifiers into a profile. The __cf_bm cookie is generated independently by Cloudflare, and does not correspond to any user ID or other identifiers in a Customer’s web application.

*__cfduid* cookie for identifying individual visitors privately

The __cfduid cookie helps Cloudflare detect malicious visitors to our Customers’ websites and minimizes blocking legitimate users. It may be placed on the devices of our customers' End Users to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It is necessary for supporting Cloudflare's security features.

Privacy and the __cfduid cookie 

The __cfduid cookie collects and anonymizes End User IP addresses using a one-way hash of certain values so they cannot be personally identified. The cookie is a session cookie that expires after 30 days.

The __cfduid cookie does not:

• allow for cross-site tracking,
• follow users from site to site by merging various __cfduid identifiers into a profile, or
• correspond to any user ID in a Customer’s web application.

Generally, Cloudflare keeps user-level data (including the IP address of a requester) for less than 24 hours for domains in the Free, Pro and Business plans, and up to seven (7) days for Enterprise domains that have enabled Cloudflare Logs (formerly Enterprise LogShare or ELS). There may be exceptions with IP addresses that have triggered security alerts. You can find more information about what Cloudflare logs in this blog post.

Cloudflare has no control over how long a Customer may store downloaded Cloudflare Logs in their networks. Regarding any information that may live in cached content on our edge servers, our Customers control what data should be cached and for how long.

__cfduid and Always Use HTTPS

The Always use HTTPS setting redirects all requests with HTTP scheme to HTTPS. This applies to all HTTP requests to the domain. Customers can find this option in the SSL/TLS app of the Cloudflare dashboard.

Below are examples of the __cfduid cookie based on the domain's Always Use HTTPS setting.

If Always Use HTTPS = True, then:

Set-Cookie: *\__cfduid*=de73c7e08a3753ac6b2fc84a838098dd91524036568; expires=Thu, 18-Apr-19 07:29:28 GMT; path=/; domain=.domain.com; HttpOnly; Secure

If Always Use HTTPS = False then:

Set-Cookie: *\__cfduid*=dbed136878a72f4a881e70c74fcf4b3411524036444; expires=Thu, 18-Apr-19 07:27:24 GMT; path=/; domain=.domain.com; HttpOnly

If your domain uses the Cloudflare Managed CNAME service, __cfduid cookies will always be non-secure even when Always use HTTPS is enabled. Cloudflare guarantees always using HTTPS if your DNS resolution is fully managed within Cloudflare. As such under a Managed CNAME situation, it is necessary for __cfduid cookies to be non-secure so that your users can be identified over either HTTP or HTTPS access.

Disabling __cfduid

Enterprise customers may request to disable the _cfduid cookie by contacting Cloudflare Support, but Cloudflare’s ability to detect and mitigate the impact of malicious visitors to a Customer’s website will be significantly impacted. While some speed recommendations suggest eliminating cookies for static resources, the performance implications are minimal.

*__cf_ob_info* and *__cf_use_ob* cookie for Cloudflare Always Online

The __cf_ob_info cookie provides information on:

• The HTTP Status Code returned by the origin web server,
• The Ray ID of the original failed request, and
• The data center serving the traffic.

The __cf_use_ob cookie informs Cloudflare to fetch the requested resource from the Always Online cache on the designated port. Applicable values are: 0, 80, and 443.

*__cfwaitingroom* for Cloudflare Waiting Rooms

Cloudflare’s Waiting Room product enables a waiting room for a particular host and path combination within a zone.  Visitors are put in the waiting room and provided an estimate of when they will be allowed to access the application if not immediately available.

The __cfwaitingroom cookie is only used to track visitors that access a Waiting Room enabled host and path combination for a zone.  The __cfwaitingroom cookie also provides time estimates for entering the application and serves visitors in the correct order.  The __cfwaitingroom cookie also allows visitors to re-enter the application after leaving for a customer-specified amount of time without having to be put in the Waiting Room.  

The __cfwaitingroom cookie expires in 24 hours for visitors that stay in the Waiting Room. When the visitor accesses the application, the __cfwaitingroom cookie is set to expire within the session duration, which can be configured by the customer. 

Visitors using a browser that does not accept cookies cannot visit the host and path combination while the Waiting Room is active.   Enable the Waiting Room feature by speaking with your Account Team.  Afterward, control the Waiting Room via the Cloudflare dashboard Traffic app under the Waiting Rooms tab.

Additional cookies used by the Challenge Platform

The table below shows additional cookies used by the Challenge Platform.

Related resources

• Introduction to Cloudflare Bot Management
• Load Balancing Session Affinity
• Cloudflare Privacy Policy
• Understanding SameSite cookie interaction with Cloudflare