We have a customer that insists on removing the _cfduid (and related) cookies.
However, that requires an enterprise subscription to have Cloudflare do, so we are looking into alternative solutions.
A suggested solution is that the customer relay the call to the resource in question (javascript and css) through their own servers and thereby preventing the cookie from reaching the client.
What, if any, consequences will this have? From Cloudflares perspective, it will be a lot of calls to the same resource that will be coming from the same client that doesn’t use cookies. Could this trigger any security/thread prevention mechanisms and have unintended consequences?
My guess would be, as long as your user does not fire a security warning, it shouldnt matter much if he blocks the cookies or not. From a Cloudflare perspective it always will be a fresh request. What they could not do in this case is ever pass a possible challenge they might be presented with, either JavaScript or captcha.
Thanks for the answer.
I talked to support and they escalated this to “Enterprise sales” as I mentioned the cookie, so I was hoping someone here knew more.
None of our users would ever be able to pass any challenge, as we’re purely using Cloudflare for hosting static background content, such as javascript and css, which is always fetched in the background. I’m not sure if that’s an issue in itself - but we have never seen any issues with it.
Does this mean that Cloudflare could suddenly send back a Captcha challenge if it receives too many requests from the same IP, instead of returning the javascript resource? that would 100% of the time go unnoticed for the above reasons.