Thats a good point. I cant currently think of many reasons as to why that is done. One could be, for example in case of cfduid, to allow the origin to also distinguish individual clients - in addition to Cloudflare, which is the original purpose. But that is mere guessing and I am really not sure there is much point.
Maybe @cloonan or @cs-cf can shed some light as to why that is being done.
I have it on my todo list to see if I can use the cfduid cookie as a session cookie rather than generating them myself for a particular backend product. Not sure if there is any particular benefit but if it does distinguish individual clients then it would be “good enough” and would save me implementing some session management.
With that being said, I’m unclear why one wouldn’t simply configure varnish to ignore the Cloudflare cookie? There are other cookies you might ignore too depending on other services you might use (CAPTCHA, analytics services, etc).
It’s a really good question @leo. Those cookies should be of no use to the origin server since they are CF’s tracking cookies.
Those services’ cookies should only go back to their own server. A cookie for foo.com shouldn’t get sent to bar.com.
CF is different because through DNS, the browser thinks CF is the website’s server.