Why does Cloudflare not strip their own cookies?

I do know what the Cloudflare cookies are used for (see https://support.cloudflare.com/hc/en-us/articles/200170156-What-does-the-Cloudflare-cfduid-cookie-do-) and that I need to configure my reverse proxy to strip them so the response can be cached (see https://support.cloudflare.com/hc/en-us/articles/200169376-Can-I-use-Cloudflare-and-Varnish-together-).

But I wonder why Cloudflare does not strip their own cookies before forwarding the request to my server? Does anyone know?

Thats a good point. I cant currently think of many reasons as to why that is done. One could be, for example in case of cfduid, to allow the origin to also distinguish individual clients - in addition to Cloudflare, which is the original purpose. But that is mere guessing and I am really not sure there is much point.

Maybe @cloonan or @cs-cf can shed some light as to why that is being done.

1 Like

I have it on my todo list to see if I can use the cfduid cookie as a session cookie rather than generating them myself for a particular backend product. Not sure if there is any particular benefit but if it does distinguish individual clients then it would be “good enough” and would save me implementing some session management.

With that being said, I’m unclear why one wouldn’t simply configure varnish to ignore the Cloudflare cookie? There are other cookies you might ignore too depending on other services you might use (CAPTCHA, analytics services, etc).

2 Likes

It’s a really good question @leo. Those cookies should be of no use to the origin server since they are CF’s tracking cookies.

Those services’ cookies should only go back to their own server. A cookie for foo.com shouldn’t get sent to bar.com.
CF is different because through DNS, the browser thinks CF is the website’s server.

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.