Hi. I have been spending time lately setting up Cloudflare WAF/security for several websites, and wanted to raise the question Why not increase Challenge Passage to 1 month? I am struggling to see many/any benefits of keeping it as low as 30 minutes, unless the context is extremely sensitive and vulnerable.
If a visitor fails to solve the initial challenge (likely a bot), then the challenge passage is irrelevant anyway.
If a visitor (human) solves the initial challenge, why would it matter in terms of security if they are re-challenged again after 30 minutes?
Please correct me, but Iām struggling to envision any scenarios where short challenge passage has any benefit.
If you prefer setting the duration for 1 month you can proceed to configure it.
We Cloudflare recommend a setting between 15 and 45 minutes.
When a visitor successfully solves a challenge, Cloudflare sets a cf_clearance cookie in their browser. This cookie specifies the duration your website is accessible to that visitor.
When that visitor tries to access other parts of your website, Cloudflare evaluates the cookie before presenting another challenge. If the cookie is still valid, no challenges will be shown.
When Cloudflare evaluates a cf_clearance cookie, a few extra minutes are included to account for clock skew. For XmlHTTP requests, an extra hour is added to the validation time to prevent breaking XmlHTTP requests for pages that set short lifetimes.
For further information, kindly review this document : Challenge Passage