Understanding SameSite cookie interaction with Cloudflare

Learn about the SameSite cookie and how it protects against Cross-site Request Forgery (CSRF).


Overview

Google Chrome’s SameSite cookie changes how Google Chrome handles the SameSite control.  Google enforces SameSite to protect against marketing cookies that track users and Cross-site Request Forgery (CSRF) that allows attackers to steal or manipulate your cookies.  

The SameSite cookie has 3 different modes:

  • Strict: Cookies are created by the first-party (the visited domain). For example, a first-party cookie is set by Cloudflare when visiting Cloudflare.com.
  • Lax: Cookies are only sent to the domain apex (e.g. *.foo.com).  For example, if someone (blog.naughty.com) hotlinked an image (img.foo.com/bar.png), the client doesn’t send a cookie to img.foo.com since it is neither the first-party nor apex context.
  • None: Cookies are sent with all requests.

SameSite settings for Cloudflare cookies include:

Cloudflare Cookie SameSite Setting HTTPS Only
__cfduid SameSite=Lax No
__cf_bm SameSite=None; Secure Yes
cf_clearance SameSite=None; Secure Yes
__cfruid SameSite=None; Secure Yes
__cflb SameSite=Lax No


Known issues with SameSite and cf_clearance cookies

When a Cloudflare CAPTCHA or Javascript challenge is solved such as for a Firewall Rule or IP Access Rule, a cf_clearance cookie is set in the client browser. The cf_clearance cookie has a default lifetime of 30 minutes but is configured via Challenge Passage within the Settings tab of the Cloudflare Firewall app. 

Cloudflare uses SameSite=None since the cf_clearance cookie so that visitor requests from different hostnames are not met with subsequent challenges or errors. When SameSite=None is used, it must be set in conjunction with the Secure flag.

Use of the Secure flag requires sending the cookie via an HTTPS connection.  The cf_clearance cookie defaults to SameSite=Lax if using HTTP on any part of your website and may cause website issues.

If using HTTP on any part of your website, the cf_clearance cookie defaults to SameSite=Lax, which may cause your website not to function properly. To resolve the issue, move your website traffic to HTTPS.  Cloudflare offers two features to assist: 


Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.