The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. For example, if the visitor is in a coffee shop where there are a bunch of infected machines, but the specific visitor's machine is trusted (e.g. because they've completed a challenge within your Challenge Passage period), the cookie allows us to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.
Because Cloudflare uses this cookie to identify both HTTP and HTTPS requests from known clients, we do not set the "secure" flag on it. This is not a risk, however, as mentioned above the cookie does not contain sensitive data.
This cookie is strictly necessary for Cloudflare's security features and cannot be turned off.