__cfduid cookie being sent insecure even though Always use HTTPS enabled

__cfduid cookie still being sent as ‘insecure’ even though we have Always use HTTPS enabled.

This support article says if we have Always use HTTPS enabled the cookie should be sent with ‘secure’ flag.

We do not have a Business account and as far as I can tell are not using Managed CNAME service. Our DNS is with Cloudflare, though.

Thoughts why this cookie (and cf_use_ob) are sending insecure?


Do i miss something? :thinking: One of the response headers

status: 200
expect-ct: max-age=604800, report-uri="https://report-uri.Cloudflare.com/cdn-cgi/beacon/expect-ct"
x-varnish: 9645638
content-encoding: br
set-cookie: __cfduid=da6b464d6fa1291d9eab0bf8fdf3c46ca1555161877; expires=Sun, 12-Apr-20 13:24:37 GMT; path=/; domain=.stl-training.co.uk; HttpOnly; Secure
set-cookie: beststlsession=qebpsop61k01s2d4k6qa6t4vl0; path=/; domain=stl-training.co.uk; secure; HttpOnly
set-cookie: visitor_data[medium]=1; secure
age: 0
expires: Thu, 19 Nov 1981 08:52:00 GMT
server: Cloudflare
via: 1.1 varnish-v4
pragma: no-cache
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
date: Sat, 13 Apr 2019 13:24:37 GMT
cf-ray: 4c6dc2e6b84ab7d1-CDG
content-type: text/html; charset=UTF-8
:status: 200
1 Like

Hi Mark,

Thanks for your response.

That is strange. Our PCI vulnerability scan is saying it is not being sent as ‘secure’, and when I load the page in Firefox, the Dev tools are also showing it is not a secure cookie.

Our main site session cookie is being sent securely.

What steps or tools would you recommend to debug this? i.e. what tool did you use to get the text you pasted?

Regards, Rich

Further to my investigations, I realised the EXISTING cookies in my browser were still ‘unsecure’. So had to clear all cookies for the site in my browser and refresh the page, and then saw it was ‘secure’.

Thanks for looking into this, Mark, it helped us understand what was going on.


This topic was automatically closed after 30 days. New replies are no longer allowed.