From 9863bb19e94e945d173d7758e326fb2a037db1ad Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Fri, 11 Jul 2025 11:45:28 +0100 Subject: [PATCH 1/2] [CF1] access cookies table format --- .../identity/authorization-cookie/index.mdx | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx b/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx index c2268388722d0d..eb8252305a44c9 100644 --- a/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx +++ b/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx @@ -32,14 +32,14 @@ If the Access application has more than five domains, Access will not preemptive The following Access cookies are essential to Access functionality. Cookies that are marked as required cannot be opted out of. The following cookies are not used for tracking or analytics. -| Cookie | Details | Expiration | HttpOnly | SameSite | Required? | -| ---------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | ---------------------------- | --------- | -| [CF_Authorization](/cloudflare-one/identity/authorization-cookie/#access-jwts) (team domain) | [JSON web token (JWT)](https://www.cloudflare.com/learning/access-management/token-based-authentication/) set on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) that contains the user's identity and enables Access to perform single sign-on (SSO) | If set, adheres to [global session duration](/cloudflare-one/identity/users/session-management/#global-session-duration).

If not, adheres to [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).

If neither are set, defaults to 24 hours. | Yes | None | Required | -| [CF_Authorization](/cloudflare-one/identity/authorization-cookie/#access-jwts) (Access application domain) | [JSON web token (JWT)](https://www.cloudflare.com/learning/access-management/token-based-authentication/) set on the domain protected by Access that allows Access to confirm that the user has been authenticated and is authorized to reach the origin | If set, adheres to [policy session duration](/cloudflare-one/identity/users/session-management/#policy-session-duration).

If not, adheres to [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).

If neither are set, defaults to 24 hours. | Admin choice (Default: None) | Admin choice (Default: None) | Required | -| CF_Binding | Refer to [Binding cookie](/cloudflare-one/identity/authorization-cookie/#binding-cookie) | If set, adheres to [policy session duration](/cloudflare-one/identity/users/session-management/#policy-session-duration).

If not, adheres to [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).

If neither are set, defaults to 24 hours. | Yes | None | Optional | -| CF_Session | [CSRF](https://www.cloudflare.com/learning/security/threats/cross-site-request-forgery/) token used on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) | 4 hours | Yes | None | Required | -| CF_AppSession | [CSRF](https://www.cloudflare.com/learning/security/threats/cross-site-request-forgery/) token used per application domain, scoped to individual applications behind Access | 24 hours | Yes | None | Required | -| CF_Device | Cookie used to help prevent abuse of the [Access OTP flow](https://developers.cloudflare.com/cloudflare-one/identity/one-time-pin/) | 30 days | Yes | Strict | Required | +| Cookie | Details | Expiration | HttpOnly | SameSite | Required? | +| ---------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | ---------------------------- | --------- | +| [CF_Authorization](/cloudflare-one/identity/authorization-cookie/#access-jwts) (team domain) | [JSON web token (JWT)](https://www.cloudflare.com/learning/access-management/token-based-authentication/) set on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) that contains the user's identity and enables Access to perform single sign-on (SSO) |
ViewIf set, adheres to [global session duration](/cloudflare-one/identity/users/session-management/#global-session-duration).

If not, adheres to [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).

If neither are set, defaults to 24 hours.
| Yes | None | Required | +| [CF_Authorization](/cloudflare-one/identity/authorization-cookie/#access-jwts) (Access application domain) | [JSON web token (JWT)](https://www.cloudflare.com/learning/access-management/token-based-authentication/) set on the domain protected by Access that allows Access to confirm that the user has been authenticated and is authorized to reach the origin |
ViewIf set, adheres to [policy session duration](/cloudflare-one/identity/users/session-management/#policy-session-duration).

If not, adheres to [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).

If neither are set, defaults to 24 hours.
| Admin choice (Default: None) | Admin choice (Default: None) | Required | +| CF_Binding | Refer to [Binding cookie](/cloudflare-one/identity/authorization-cookie/#binding-cookie) |
ViewIf set, adheres to [policy session duration](/cloudflare-one/identity/users/session-management/#policy-session-duration).

If not, adheres to [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).

If neither are set, defaults to 24 hours.
| Yes | None | Optional | +| CF_Session | [CSRF](https://www.cloudflare.com/learning/security/threats/cross-site-request-forgery/) token used on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) | 4 hours | Yes | None | Required | +| CF_AppSession | [CSRF](https://www.cloudflare.com/learning/security/threats/cross-site-request-forgery/) token used per application domain, scoped to individual applications behind Access | 24 hours | Yes | None | Required | +| CF_Device | Cookie used to help prevent abuse of the [Access OTP flow](https://developers.cloudflare.com/cloudflare-one/identity/one-time-pin/) | 30 days | Yes | Strict | Required | ## Cookie settings From 72244a86c8a218f2c9ac7ff9c60b3209ab82c5f8 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Fri, 11 Jul 2025 12:04:58 +0100 Subject: [PATCH 2/2] remix format --- .../identity/authorization-cookie/index.mdx | 45 +++++++++++++++---- 1 file changed, 36 insertions(+), 9 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx b/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx index eb8252305a44c9..199846634bb1de 100644 --- a/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx +++ b/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx @@ -12,7 +12,7 @@ When you protect a site with Cloudflare Access, Cloudflare checks every HTTP req ## Access JWTs -The `CF_Authorization` cookie contains the user's identity in the form of a JSON Web Token (JWT). Cloudflare securely creates these tokens through the OAUTH or SAML integration between Cloudflare Access and the configured identity provider. +The `CF_Authorization` cookie contains the user's identity in the form of a [JSON Web Token (JWT)](https://www.cloudflare.com/learning/access-management/token-based-authentication/). Cloudflare securely creates these tokens through the OAUTH or SAML integration between Cloudflare Access and the configured identity provider. Access generates two separate `CF_Authorization` tokens depending on the domain: @@ -32,14 +32,41 @@ If the Access application has more than five domains, Access will not preemptive The following Access cookies are essential to Access functionality. Cookies that are marked as required cannot be opted out of. The following cookies are not used for tracking or analytics. -| Cookie | Details | Expiration | HttpOnly | SameSite | Required? | -| ---------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | ---------------------------- | --------- | -| [CF_Authorization](/cloudflare-one/identity/authorization-cookie/#access-jwts) (team domain) | [JSON web token (JWT)](https://www.cloudflare.com/learning/access-management/token-based-authentication/) set on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) that contains the user's identity and enables Access to perform single sign-on (SSO) |
ViewIf set, adheres to [global session duration](/cloudflare-one/identity/users/session-management/#global-session-duration).

If not, adheres to [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).

If neither are set, defaults to 24 hours.
| Yes | None | Required | -| [CF_Authorization](/cloudflare-one/identity/authorization-cookie/#access-jwts) (Access application domain) | [JSON web token (JWT)](https://www.cloudflare.com/learning/access-management/token-based-authentication/) set on the domain protected by Access that allows Access to confirm that the user has been authenticated and is authorized to reach the origin |
ViewIf set, adheres to [policy session duration](/cloudflare-one/identity/users/session-management/#policy-session-duration).

If not, adheres to [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).

If neither are set, defaults to 24 hours.
| Admin choice (Default: None) | Admin choice (Default: None) | Required | -| CF_Binding | Refer to [Binding cookie](/cloudflare-one/identity/authorization-cookie/#binding-cookie) |
ViewIf set, adheres to [policy session duration](/cloudflare-one/identity/users/session-management/#policy-session-duration).

If not, adheres to [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).

If neither are set, defaults to 24 hours.
| Yes | None | Optional | -| CF_Session | [CSRF](https://www.cloudflare.com/learning/security/threats/cross-site-request-forgery/) token used on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) | 4 hours | Yes | None | Required | -| CF_AppSession | [CSRF](https://www.cloudflare.com/learning/security/threats/cross-site-request-forgery/) token used per application domain, scoped to individual applications behind Access | 24 hours | Yes | None | Required | -| CF_Device | Cookie used to help prevent abuse of the [Access OTP flow](https://developers.cloudflare.com/cloudflare-one/identity/one-time-pin/) | 30 days | Yes | Strict | Required | +### CF_Authorization (team domain) + +| Details | Expiration | HttpOnly | SameSite | Required? | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- | --------- | +| [JSON web token (JWT)](/cloudflare-one/identity/authorization-cookie/#access-jwts) set on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) that contains the user's identity and enables Access to perform single sign-on (SSO) |
ViewIf set, adheres to [global session duration](/cloudflare-one/identity/users/session-management/#global-session-duration).

If not, adheres to [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).

If neither are set, defaults to 24 hours.
| Yes | None | Required | + +### CF_Authorization (Access application domain) + +| Details | Expiration | HttpOnly | SameSite | Required? | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | ---------------------------- | --------- | +| [JSON web token (JWT)](/cloudflare-one/identity/authorization-cookie/#access-jwts) set on the domain protected by Access that allows Access to confirm that the user has been authenticated and is authorized to reach the origin |
ViewIf set, adheres to [policy session duration](/cloudflare-one/identity/users/session-management/#policy-session-duration).

If not, adheres to [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).

If neither are set, defaults to 24 hours.
| Admin choice (Default: None) | Admin choice (Default: None) | Required | + +### CF_Binding + +| Details | Expiration | HttpOnly | SameSite | Required? | +| ---------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- | --------- | +| Refer to [Binding cookie](/cloudflare-one/identity/authorization-cookie/#binding-cookie) |
ViewIf set, adheres to [policy session duration](/cloudflare-one/identity/users/session-management/#policy-session-duration).

If not, adheres to [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).

If neither are set, defaults to 24 hours.
| Yes | None | Optional | + +### CF_Session + +| Details | Expiration | HttpOnly | SameSite | Required? | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------- | -------- | -------- | --------- | +| [CSRF](https://www.cloudflare.com/learning/security/threats/cross-site-request-forgery/) token used on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) | 4 hours | Yes | None | Required | + +### CF_AppSession + +| Details | Expiration | HttpOnly | SameSite | Required? | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -------- | -------- | --------- | +| [CSRF](https://www.cloudflare.com/learning/security/threats/cross-site-request-forgery/) token used per application domain, scoped to individual applications behind Access | 24 hours | Yes | None | Required | + +### CF_Device + +| Details | Expiration | HttpOnly | SameSite | Required? | +| ----------------------------------------------------------------------------------------------------------------------------------- | ---------- | -------- | -------- | --------- | +| Cookie used to help prevent abuse of the [Access OTP flow](https://developers.cloudflare.com/cloudflare-one/identity/one-time-pin/) | 30 days | Yes | Strict | Required | ## Cookie settings