What does the Cloudflare cfduid cookie do?

The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

Depending on the Always Use HTTPs configuration this cookie will be created either as secure or non-secure. 

The Always use HTTPS setting redirects all requests with http scheme to https. This applies to all http requests to the domain. You can find this option in the Crypto app of the Cloudflare dashboard.

Below are examples of the __cfduid cookie based on the domain's Always Use HTTPs setting:

Always Use HTTPS = True:

< Set-Cookie: __cfduid=de73c7e08a3753ac6b2fc84a838098dd91524036568; expires=Thu, 18-Apr-19 07:29:28 GMT; path=/; domain=.domain.com; HttpOnly; Secure

Always Use HTTPS = False:

< Set-Cookie: __cfduid=dbed136878a72f4a881e70c74fcf4b3411524036444; expires=Thu, 18-Apr-19 07:27:24 GMT; path=/; domain=.domain.com; HttpOnly
If your domain uses the Cloudflare Managed CNAME service, __cfduid cookies will always be non-secure even when Always use HTTPS is enabled. Cloudflare guarantees always using HTTPS if your DNS resolution is fully managed within Cloudflare. As such under a Managed CNAME situation, it is necessary for __cfduid cookies to be non-secure so that your users can be identified over either HTTP or HTTPS access.

This cookie is absolutely necessary for supporting Cloudflare's security features and cannot be turned off. 

Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk