WARP sessions
Cloudflare Zero Trust enforces WARP client reauthentication on a per-application basis, unlike legacy VPNs which treat it as a global setting. You can configure WARP session timeouts for your Access applications or as part of your Gateway policies.
When a user goes to a protected application or website, Cloudflare checks their WARP session duration against the configured session timeout. If the session has expired, the user will be prompted to re-authenticate with the identity provider (IdP) used to enroll in the WARP client.
A user's WARP session duration resets to zero whenever they re-authenticate with the IdP, regardless of what triggered the authentication event.
Ensure that traffic can reach your IdP and <your-team-name>.cloudflareaccess.com
through WARP.
You can enforce WARP session timeouts on any Gateway Network and HTTP policy that has an Allow action. If you do not specify a session timeout, the WARP session will be unlimited by default.
Session timeouts have no impact on Gateway DNS policies. DNS policies remain active even when a user needs to re-authenticate.
To configure a session timeout for a Gateway policy:
- In Zero Trust ↗, go to either Gateway > Firewall Policies. Choose either Network or HTTP.
- Add a policy and select the Allow action. Alternatively, choose any existing Allow policy.
- Under Step 4 - Configure policy settings, select Edit next to Enforce WARP client session duration.
- Enter a session expiration time in
1h30m0s
format and save. - Save the policy.
Session checks are now enabled for the application protected by this policy. Users can continue to reach applications outside of the policy definition.
You can allow users to log in to Access applications using their WARP session. WARP authentication is only supported for Access applications protected by Allow or Block policies.
To configure WARP sessions for Access applications:
- In Zero Trust ↗, go to Settings > WARP Client.
- In Device enrollment permissions, select Manage.
- Go to the Authentication tab and enable WARP authentication identity.
- Under Session duration, choose a session timeout value. This timeout will apply to all Access applications that have WARP authentication enabled.
- (Optional) To enable WARP authentication by default for all existing and new applications, select Apply to all Access applications. You can override this default setting on a per-application basis when you create or modify an Access application.
- Select Save.
Users can now authenticate once with WARP and have access to your Access applications for the configured period of time. The session timer resets when the user re-authenticates with the IdP used to enroll in WARP.
If the user has an active browser session with the IdP, WARP will use the existing browser cookies to re-authenticate and the user will not be prompted to re-enter their credentials. You can override this behavior to require explicit user interaction in the IdP.
- Only one user per device — If a device is already registered with User A, User B will not be able to log in on that device through the re-authentication flow. To switch the device registration to a different user, User A must first log out from Zero Trust (if Allow device to leave organization is enabled), or an admin can revoke the registration from My Team > Devices. User B can then properly enroll.
- Active connections are not terminated — Active sessions such as SSH and RDP will remain connected beyond the timeout limit.
- Binding Cookie is not supported - WARP authentication will not work for Access applications that have the Binding Cookie enabled.