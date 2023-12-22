SameSite cookie interaction with Cloudflare
Google Chrome enforces SameSite cookie behavior to protect against marketing cookies that track users and Cross-site Request Forgery (CSRF) that allows attackers to steal or manipulate your cookies.
The
SameSite cookie attribute has three different modes:
- Strict: Cookies are created by the first party (the visited domain). For example, a first-party cookie is set by Cloudflare when visiting
cloudflare.com.
- Lax: Cookies are only sent to the apex domain (such as
example.com). For example, if someone (
blog.example.net) hotlinked an image (
img.example.com/bar.png), the client does not send a cookie to
img.example.comsince it is neither the first-party nor apex context.
- None: Cookies are sent with all requests.
SameSite settings for Cloudflare cookies include:
|Cloudflare cookie
|SameSite setting
|HTTPS Only
__cf_bm
SameSite=None; Secure
|Yes
cf_clearance
SameSite=None; Secure
|Yes
__cflb
SameSite=Lax
|No
SameSite attribute in session affinity cookies
Currently, to configure the
SameSite attribute on session affinity cookies you must use the Cloudflare API (for example, the Create Load Balancer operation).
To configure the value of the
SameSite cookie attribute, include the
samesite and
secure JSON attributes in your HTTP request, inside the
session_affinity_attributes object.
The available values for these two attributes are the following:
samesite attribute:
- Valid values:
Auto(default),
Lax,
None,
Strict.
secure attribute:
- Valid values:
Auto(default),
Always,
Never.
The
Auto value for the
samesite attribute will have the following behavior:
- If Always Use HTTPS is enabled, session affinity cookies will use the
LaxSameSite mode.
- If Always Use HTTPS is disabled, session affinity cookies will use the
NoneSameSite mode.
The
Auto value for the
secure attribute will have the following behavior:
- If Always Use HTTPS is enabled, session affinity cookies will include
Securein the SameSite attribute.
- If Always Use HTTPS is disabled, session affinity cookies will not include
Securein the SameSite attribute.
If you set
samesite to
None in your API request, you cannot set
secure to
Never.
If you require a specific
SameSite configuration in your session affinity cookies, Cloudflare recommends that you provide values for
samesite and
secure different from
Auto, instead of relying on the default behavior. This way, the value of the
SameSite cookie attribute will not change due to configuration changes (namely Always Use HTTPS).
Known issues with SameSite and
cf_clearance cookies
When a visitor solves a challenge presented due to a WAF custom rule or an IP Access rule, a
cf_clearance cookie is set in the visitor’s browser. The
cf_clearance cookie has a default lifetime of 30 minutes, which you can configure via Challenge Passage.
Cloudflare uses
SameSite=None in the
cf_clearance cookie so that visitor requests from different hostnames are not met with later challenges or errors. When
SameSite=None is used, it must be set in conjunction with the
Secure flag.
Using the
Secure flag requires sending the cookie via an HTTPS connection. If you use HTTP on any part of your website, the
cf_clearance cookie defaults to
SameSite=Lax, which may cause your website not to function properly.
To resolve the issue, move your website traffic to HTTPS. Cloudflare offers two features for this purpose: