SameSite cookie interaction with Cloudflare
Google Chrome enforces SameSite cookie behavior ↗ to protect against marketing cookies that track users and Cross-site Request Forgery (CSRF) that allows attackers to steal or manipulate your cookies.
The SameSite
cookie attribute has three different modes:
- Strict: Cookies are created by the first party (the visited domain). For example, a first-party cookie is set by Cloudflare when visiting
cloudflare.com
. - Lax: Cookies are only sent to the apex domain (such as
example.com
). For example, if someone (blog.example.net
) hotlinked an image (img.example.com/bar.png
), the client does not send a cookie toimg.example.com
since it is neither the first-party nor apex context. - None: Cookies are sent with all requests.
SameSite
settings for Cloudflare cookies include:
Cloudflare cookie | SameSite setting | HTTPS Only |
---|---|---|
__cf_bm | SameSite=None; Secure | Yes |
cf_clearance | SameSite=None; Secure | Yes |
__cflb | SameSite=Lax | No |
Currently, to configure the SameSite
attribute on session affinity cookies you must use the Cloudflare API (for example, the Create Load Balancer operation).
To configure the value of the SameSite
cookie attribute, include the samesite
and secure
JSON attributes in your HTTP request, inside the session_affinity_attributes
object.
The available values for these two attributes are the following:
samesite
attribute:
- Valid values:
Auto
(default),Lax
,None
,Strict
.
secure
attribute:
- Valid values:
Auto
(default),Always
,Never
.
The Auto
value for the samesite
attribute will have the following behavior:
- If Always Use HTTPS is enabled, session affinity cookies will use the
Lax
SameSite mode. - If Always Use HTTPS is disabled, session affinity cookies will use the
None
SameSite mode.
The Auto
value for the secure
attribute will have the following behavior:
- If Always Use HTTPS is enabled, session affinity cookies will include
Secure
in the SameSite attribute. - If Always Use HTTPS is disabled, session affinity cookies will not include
Secure
in the SameSite attribute.
If you set samesite
to None
in your API request, you cannot set secure
to Never
.
If you require a specific SameSite
configuration in your session affinity cookies, Cloudflare recommends that you provide values for samesite
and secure
different from Auto
, instead of relying on the default behavior. This way, the value of the SameSite
cookie attribute will not change due to configuration changes (namely Always Use HTTPS).
When a visitor solves a challenge presented due to a WAF custom rule or an IP Access rule, a cf_clearance
cookie is set in the visitor's browser. The cf_clearance
cookie has a default lifetime of 30 minutes, which you can configure via Challenge Passage.
Cloudflare uses SameSite=None
in the cf_clearance
cookie so that visitor requests from different hostnames are not met with later challenges or errors. When SameSite=None
is used, it must be set in conjunction with the Secure
flag.
Using the Secure
flag requires sending the cookie via an HTTPS connection. If you use HTTP on any part of your website, the cf_clearance
cookie defaults to SameSite=Lax
, which may cause your website not to function properly.
To resolve the issue, move your website traffic to HTTPS. Cloudflare offers two features for this purpose:
- SameSite cookies explained ↗
- Cloudflare Cookies
- Cloudflare SSL FAQ
- Automatic HTTPS Rewrites
- Always Use HTTPS