Can I rely on __cfduid cookie being unique per origin?

What I would actually like to do is assign the value of a __cfduid in the database so that each open resource can have a dedicated origin. When resources are open in the application they are stateful so all clients opening this shared resources need to go to the same origin. Is it safe to set the __cfduid cookie from the application?

Thank you in advance for any answers. :slight_smile:

That cookie is described at https://support.cloudflare.com/hc/en-us/articles/200170156-Understanding-the-Cloudflare-Cookies#12345682

I am not sure what you mean by “unique per origin”, but it is not so much origin but rather user related. It is unique (as unique as a 344 bit value can be) per user and per domain for 30 days.

I am also not sure what you mean by “set” as you cannot “set” the value, but if you mean “use within your server code”, then I’d also rather advise against that. You better have your own session mechanisms, this cookie really is for Cloudflare.

1 Like

@sandro oh, I totally misunderstood the purpose of that cookie. Ok it makes sense then!

I guess the only way to affect load balancing (lock it down to a specific origin) is a separate DNS entry that’s outside load balancer.

You mean your own private load balancer, not Cloudflare’s?

For that use case you could probably use that cookie to route one specific user always via the same route, however keep in mind this is more than a session cookie and will stay for 30 days by default. Furthermore the logic can change. That cookie is essentially not intended to be used by the site.

But if you just need a user specific cookie, then yes, it might do what you want.

Again, sorry for not explaining my intentions too well.

I have Origin1 and Origin2 in my Cloudflare’s LB pool. Users from around the world are getting connected either to Origin1 to Origin2, without much predictibility.

In my cloud service, Origin1 and Origin2 are actually stateful (in-memory state + algorithms). This means that for certain resources ALL USERS who want to access a specific resource, they need to connect to a single origin which is controlling that resource.

My original idea was somehow manipulating Cloudflare’s cookies to force all users of a specific resource to a specific origin which is controlling that resource.

My current idea is simply having a unique hostname per each origin and directing the users there through an explicit connect through a non-LBed hostname, without messing up with CF’s load balancer (as you pointed out the cookies are not intended to be used directly)

Hope it makes sense.

You cannot change the Cloudflare cookies, however if we are talking about Cloudflare’s load balancer you should look into https://developers.cloudflare.com/load-balancing/understand-basics/session-affinity/ instead.

1 Like

Yep I read through but it looks like dynamic/programmatic control of session affinity is not possible.

No, but that shouldn’t be necessary either. It simply makes sure that a client’s requests always go to the same origin and that’s what you want to achieve, is it not?

1 Like