SameSite cookie interaction with Cloudflare

Google Chrome enforces SameSite cookie behavior ↗ to protect against marketing cookies that track users and Cross-site Request Forgery (CSRF) that allows attackers to steal or manipulate your cookies.  

The SameSite cookie attribute has three different modes:

• Strict: Cookies are created by the first party (the visited domain). For example, a first-party cookie is set by Cloudflare when visiting cloudflare.com.
• Lax: Cookies are only sent to the apex domain (such as example.com). For example, if someone (blog.example.net) hotlinked an image (img.example.com/bar.png), the client does not send a cookie to img.example.com since it is neither the first-party nor apex context.
• None: Cookies are sent with all requests.

SameSite settings for Cloudflare cookies include:

Cloudflare cookie	SameSite setting	HTTPS Only
__cf_bm	SameSite=None; Secure	Yes
cf_clearance	SameSite=None; Secure	Yes
__cflb	SameSite=Lax	No

SameSite attribute in session affinity cookies

Currently, to configure the SameSite attribute on session affinity cookies you must use the Cloudflare API (for example, the Create Load Balancer operation).

To configure the value of the SameSite cookie attribute, include the samesite and secure JSON attributes in your HTTP request, inside the session_affinity_attributes object.

The available values for these two attributes are the following:

samesite attribute:

• Valid values: Auto (default), Lax, None, Strict.

secure attribute:

• Valid values: Auto (default), Always, Never.

The Auto value for the samesite attribute will have the following behavior:

• If Always Use HTTPS is enabled, session affinity cookies will use the Lax SameSite mode.
• If Always Use HTTPS is disabled, session affinity cookies will use the None SameSite mode.

The Auto value for the secure attribute will have the following behavior:

• If Always Use HTTPS is enabled, session affinity cookies will include Secure in the SameSite attribute.
• If Always Use HTTPS is disabled, session affinity cookies will not include Secure in the SameSite attribute.

If you set samesite to None in your API request, you cannot set secure to Never.

If you require a specific SameSite configuration in your session affinity cookies, Cloudflare recommends that you provide values for samesite and secure different from Auto, instead of relying on the default behavior. This way, the value of the SameSite cookie attribute will not change due to configuration changes (namely Always Use HTTPS).

---

Known issues with SameSite and cf_clearance cookies

When a visitor solves a challenge presented due to a WAF custom rule or an IP Access rule, a cf_clearance cookie is set in the visitor's browser. The cf_clearance cookie has a default lifetime of 30 minutes, which you can configure via Challenge Passage.

Cloudflare uses SameSite=None in the cf_clearance cookie so that visitor requests from different hostnames are not met with later challenges or errors. When SameSite=None is used, it must be set in conjunction with the Secure flag.

Using the Secure flag requires sending the cookie via an HTTPS connection. If you use HTTP on any part of your website, the cf_clearance cookie defaults to SameSite=Lax, which may cause your website not to function properly.

To resolve the issue, move your website traffic to HTTPS. Cloudflare offers two features for this purpose: 

• Automatic HTTPS Rewrites
• Always Use HTTPS

---

Related resources

• SameSite cookies explained ↗ 
• Cloudflare Cookies
• Cloudflare SSL FAQ
• Automatic HTTPS Rewrites
• Always Use HTTPS