Skip to content

Commit 34d3aab

Browse files
deadlypants1973deadlypants1973
committed
cookie update
1 parent f49a15e commit 34d3aab

File tree

1 file changed

+19
-5
lines changed

1 file changed

+19
-5
lines changed

src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx

Lines changed: 19 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16,11 +16,11 @@ When you protect a site with Cloudflare Access, Cloudflare checks every HTTP req
1616

1717
The `CF_Authorization` cookie contains the user's identity in the form of a JSON Web Token (JWT). Cloudflare securely creates these tokens through the OAUTH or SAML integration between Cloudflare Access and the configured identity provider.
1818

19-
Two tokens are generated:
19+
Access generates two separate `CF_Authorization` cookies, each containing its own JWT, depending on the domain:
2020

21-
- **Global session token**: a token generated when a user logs in to Access. This token is stored as a cookie at your <GlossaryTooltip term="team domain">team domain</GlossaryTooltip> (for example, `https://<your-team-name>.cloudflareaccess.com`) and prevents a user from needing to log in to each application.
21+
- **Global session token**: Generated when a user logs in to Access. This token is stored as a cookie at your <GlossaryTooltip term="team domain">team domain</GlossaryTooltip> (for example, `https://<your-team-name>.cloudflareaccess.com`) and prevents a user from needing to log in to each application.
2222

23-
- [**Application token**](/cloudflare-one/identity/authorization-cookie/application-token/): a token generated for each application that a user reaches. This token is stored as a cookie on the protected domain (for example, `https://jira.site.com`) and may be used to [validate requests](/cloudflare-one/identity/authorization-cookie/validating-json) on your origin.
23+
- [**Application token**](/cloudflare-one/identity/authorization-cookie/application-token/): Generated for each application that a user reaches. This token is stored as a cookie on the protected domain (for example, `https://jira.site.com`) and may be used to [validate requests](/cloudflare-one/identity/authorization-cookie/validating-json) on your origin.
2424

2525
### Multi-domain applications
2626

@@ -30,6 +30,18 @@ For Access applications with five or less domains, Access will preemptively set
3030

3131
If the Access application has more than five domains, Access will not preemptively set any cookies. Cookies are only issued as the user visits each domain. This limitation is to avoid latency issues that could affect the user experience.
3232

33+
## Access cookies
34+
35+
The following Access cookies are essential to Access functionality. These cookies are not used for tracking or analytics.
36+
37+
| Cookie | Details | Expiration | HttpOnly | SameSite | Required? |
38+
| ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | ---------------------------- | --------- |
39+
| [CF_Authorization](/cloudflare-one/identity/authorization-cookie/#access-jwts) (team domain) | [JSON web token (JWT)](https://www.cloudflare.com/learning/access-management/token-based-authentication/) set on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) that contains the user's identity ands enables Access to perform single sign-on (SSO) | If [global session duration](/cloudflare-one/identity/users/session-management/#global-session-duration) is set, adheres to that.<br/><br/> If not, adheres to the [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).<br/><br/> If neither are set, defaults to 24 hours. | Yes | None | Yes |
40+
| [CF_Authorization](/cloudflare-one/identity/authorization-cookie/#access-jwts) (Access application domain) | [JSON web token (JWT)](https://www.cloudflare.com/learning/access-management/token-based-authentication/) set on the domain protected by Access, used to confirm that the user has been authenticated and is authorized to reach the origin | If [policy session duration](/cloudflare-one/identity/users/session-management/#policy-session-duration) is set, adheres to that.<br/><br/> If not, adheres to the [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).<br/><br/> If neither are set, defaults to 24 hours. | Admin choice (Default: No) | Admin choice (Default: None) | Yes |
41+
| CF_Binding | Refer to [Binding cookie](/cloudflare-one/identity/authorization-cookie/#binding-cookie) | If [policy session duration](/cloudflare-one/identity/users/session-management/#policy-session-duration) is set, adheres to that.<br/><br/> If not, adheres to the [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).<br/><br/> If neither are set, defaults to 24 hours. | Yes | None | Optional |
42+
| CF_Session | [CSRF](https://www.cloudflare.com/learning/security/threats/cross-site-request-forgery/) token used on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) | 4 hours | Yes | None | Required |
43+
| CF_AppSession | [CSRF](https://www.cloudflare.com/learning/security/threats/cross-site-request-forgery/) token used per application domain, scoped to individual applications behind Access | 24 hours | Yes | None | Required |
44+
3345
## Cookie settings
3446

3547
Cloudflare Access provides optional security settings that can be added to the browser cookies generated by Access for an authenticated user.
@@ -78,9 +90,11 @@ Do not enable HttpOnly if:
7890
- You are using the Access application for non-browser based tools (such as SSH or RDP).
7991
- You have software that relies on being able to access a user's cookie generated by Access.
8092

81-
### Binding Cookie
93+
### Binding cookie
94+
95+
The binding cookie (`CF_Binding`) is an optional security cookie created when a user successfully authenticates. It binds the browser to the application’s `CF_Authorization` cookie, helping protect against session hijacking-style attacks. The binding cookie is shared with Cloudflare to verify identity, but it is stripped before reaching your origin. Because the origin never sees the binding cookie, this ensures the binding cookie cannot be exposed, logged, or stolen by application-layer vulnerabilities.
8296

83-
The Binding Cookie is an additional cookie created when a user successfully authenticates, shared with Cloudflare to verify identity, and then stripped before it reaches the origin server. The Binding Cookie associates the browser with the Access token; the association protects against compromised authorization tokens because the origin webapp would never see this binding cookie. This protects against session hijack style attacks.
97+
If a request is missing the expected binding cookie, the associated `CF_Authorization` token is rejected, reinforcing session integrity and preventing unauthorized reuse.
8498

8599
#### When not to use Binding Cookie
86100

0 commit comments

Comments
 (0)