Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Cloudflare authorization cookie

When you protect a site with Cloudflare Access, Cloudflare checks every HTTP request bound for that site to ensure that the request has a valid CF_Authorization cookie. If a request does not include the cookie, Access will block the request.

​​ Access JWTs

The CF_Authorization cookie contains the user’s identity in the form of a JSON Web Token (JWT). Cloudflare securely creates these tokens through the OAUTH or SAML integration between Cloudflare Access and the configured identity provider.

Two tokens are generated:

  • Global session token: a token generated when a user logs in to Access. This token is stored as a cookie at your team domain (for example, https://<your-team-name>.cloudflareaccess.com) and prevents a user from needing to log in to each application.

  • Application token: a token generated for each application that a user reaches. This token is stored as a cookie on the application (for example, https://jira.site.com) and may be used to validate requests on your origin.

Cloudflare Access provides optional security settings that can be added to the browser cookies generated by Access for an authenticated user.

To enable these settings:

  1. In Zero Trust, go to Access > Applications.

  2. Locate the application you would like to configure and select Edit.

  3. Select Settings and scroll down to Cookie settings.

  4. Configure the desired cookie settings.

  5. Select Save application.

​​ SameSite Attribute

The SameSite Attribute selector restricts the cookie to only being sent if the cookie’s defined site matches the site being requested in the browser. This adds protection against cross-site request forgery (CSRF).

The selector options are:

  • None - Cookies will be sent in all contexts, including cross-origin requests.
  • Lax - Cookies are allowed to be sent with top-level navigations and will be sent along with GET requests initiated by third party websites.
  • Strict - Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.

Refer to the Mozilla documentation for more information.

​​ When not to use SameSite

Do not enable SameSite restrictions if you have additional sites or applications that rely on a specific application’s authorization cookie.

​​ HttpOnly

The HttpOnly flag is a cookie attribute that prevents the cookie from being accessed by any client-side scripts, reducing the likelihood of Cross-Site Scripting (XSS) attacks. This flag is enabled by default.

​​ When not to use HttpOnly

Do not enable HttpOnly if:

  • You are using the Access application for non-browser based tools.
  • You have software that relies on being able to access a user’s cookie generated by Access.

The Binding Cookie is an additional cookie created when a user successfully authenticates, shared with Cloudflare to verify identity, and then stripped before it reaches the origin server. The Binding Cookie associates the browser with the Access token; the association protects against compromised authorization tokens because the origin webapp would never see this binding cookie. This protects against session hijack style attacks.

Do not use the Binding Cookie for non-browser based Access applications that rely on protocols like SSH, RDP, etc.

The Cookie Path Attribute adds the application’s path URL to the CF_Authorization cookie. When enabled, a user who logs in to example.com/path1 must re-authenticate to access example.com/path2. When disabled, the CF_Authorization cookie is only scoped to the domain and subdomain.

​​ Allow cross-site cookies in Firefox

By default, Firefox Private Browsing mode blocks all cross-site cookies including the CF_Authorization cookie. For XHR requests to work in private windows, you will need to exempt your site and team domain from the browser’s tracking protection system.

To enable cross-site cookies in Firefox:

  1. In Firefox, go to Settings > Privacy & Security.
  2. Scroll down to Cookies and Site Data.
  3. Select Manage Exceptions.
  4. Enter the URL of your Access application (for example, https://jira.site.com) and select Allow.
  5. Enter https://<your-team-name>.cloudflareaccess.com and select Allow.
  6. Select Save Changes.

You can now make XHR requests to your Access application in Firefox Private Browsing mode.