The removal of the _cfuid cookie

Some of us have been relying on this for things like rough rate-limiting or log-batching, will there be any replacement header we can use?

@KentonVarda

you could create your _uid cookie.

2 Likes

Of course, just checking if it’s going to be replaced with something that’s not cookie based.

1 Like

Sorry, I don’t know much about this. The _cfuid cookie is a general Cloudflare feature not specific to Workers.

CF probably realized the value of a GDPR-free, Cookie-free base product, that many jurisdictions are legislating against, and referring to Cookies by name, can just be equally replaced with TLS session tickets/session IDs being the exact same thing (separating clients behind CGNAT/NAT).

As use of cleartext HTTP basically is reaching zero because of multiple policies/dogma/audits/consultants.The chances of a cleartext HTTP site having dynamic content to DDOS off the internet is zero. Attempting to DDOS a static site, well, is the CF continuous testing suite? :grin:

So yeah, CF probably uses TLS tickets/IDs as a replacement for __cfduid but those are invisible at layer 7. You could try to analyze the bits in Cf-Ray header and if any of the bits are stable req to req to req on same phone, then on another phone but same ISP/big 3 provider, the same 3 reqs had stable but different bits. The mask of the stable fields of would be a rough estimate of what is the UUID in a cf-ray header.

1 Like

I’m aware, just wanted to know if it was replaced with something else, guessing what parts of the UUID would be usable is not as reliable as proper client tracking.