Authorization cookie
When you protect a site with Cloudflare Access, Cloudflare checks every HTTP request bound for that site to ensure that the request has a valid CF_Authorization cookie. If a request does not include the cookie, Access will block the request.
The CF_Authorization cookie contains the user's identity in the form of a JSON Web Token (JWT). Cloudflare securely creates these tokens through the OAUTH or SAML integration between Cloudflare Access and the configured identity provider.
Access generates two separate CF_Authorization tokens depending on the domain:
-
Global session token: Generated when a user logs in to Access. This token is stored as a cookie at your team domain (for example,
https://<your-team-name>.cloudflareaccess.com) and prevents a user from needing to log in to each application. -
Application token: Generated for each application that a user reaches. This token is stored as a cookie on the protected domain (for example,
https://jira.site.com) and may be used to validate requests on your origin.
Cloudflare Access allows you to protect and manage multiple domains in a single self-hosted application. After a user has successfully authenticated to one domain, Access will automatically issue a CF_Authorization cookie when they go to another domain in the same Access application. This means that users only need to authenticate once to a multi-domain application.
For Access applications with five or less domains, Access will preemptively set the cookie for all domains through a series of redirects. This allows single-page applications (SPAs) to retrieve data from other subdomains, even if the user has not explicitly visited those subdomains. Note that we cannot set cookies up-front for a wildcarded subdomain, because we do not know which concrete subdomain to redirect to (wildcarded paths are allowed).
If the Access application has more than five domains, Access will not preemptively set any cookies. Cookies are only issued as the user visits each domain. This limitation is to avoid latency issues that could affect the user experience.
The following Access cookies are essential to Access functionality. Cookies that are marked as required cannot be opted out of. The following cookies are not used for tracking or analytics.
| Cookie | Details | Expiration | HttpOnly | SameSite | Required? |
|---|---|---|---|---|---|
| CF_Authorization (team domain) | JSON web token (JWT) ↗ set on the cloudflareaccess.com team domain that contains the user's identity and enables Access to perform single sign-on (SSO) | If set, adheres to global session duration. If not, adheres to application session duration. If neither are set, defaults to 24 hours. | Yes | None | Required |
| CF_Authorization (Access application domain) | JSON web token (JWT) ↗ set on the domain protected by Access that allows Access to confirm that the user has been authenticated and is authorized to reach the origin | If set, adheres to policy session duration. If not, adheres to application session duration. If neither are set, defaults to 24 hours. | Admin choice (Default: None) | Admin choice (Default: None) | Required |
| CF_Binding | Refer to Binding cookie | If set, adheres to policy session duration. If not, adheres to application session duration. If neither are set, defaults to 24 hours. | Yes | None | Optional |
| CF_Session | CSRF ↗ token used on the cloudflareaccess.com team domain | 4 hours | Yes | None | Required |
| CF_AppSession | CSRF ↗ token used per application domain, scoped to individual applications behind Access | 24 hours | Yes | None | Required |
| CF_Device | Cookie used to help prevent abuse of the Access OTP flow ↗ | 30 days | Yes | Strict | Required |
Cloudflare Access provides optional security settings that can be added to the browser cookies generated by Access for an authenticated user.
To enable these settings:
-
In Zero Trust ↗, go to Access > Applications.
-
Locate the application you would like to configure and select Edit.
-
Select Settings and scroll down to Cookie settings.
-
Configure the desired cookie settings.
-
Select Save application.
The SameSite ↗ Attribute selector restricts the cookie to only being sent if the cookie's defined site matches the site being requested in the browser. This adds protection against cross-site request forgery (CSRF) ↗.
The selector options are:
- None - Cookies will be sent in all contexts, including cross-origin requests.
- Lax - Cookies are allowed to be sent with top-level navigations and will be sent along with GET requests initiated by third party websites.
- Strict - Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
Refer to the Mozilla documentation ↗ for more information.
Do not enable SameSite restrictions if you have additional sites or applications that rely on a specific application's authorization cookie.
The HttpOnly flag is a cookie attribute that prevents the cookie from being accessed by any client-side scripts, reducing the likelihood of Cross-Site Scripting (XSS) attacks. This flag is enabled by default.
Do not enable HttpOnly if:
- You are using the Access application for non-browser based tools (such as SSH or RDP).
- You have software that relies on being able to access a user's cookie generated by Access.
The binding cookie (CF_Binding) is an optional cookie issued when a user successfully authenticates. The binding cookie is sent by the user’s browser and tied to a specific application’s CF_Authorization cookie. This cookie is stripped at Cloudflare's edge and never forwarded to the origin server.
Binding cookies protect users' CF_Authorization cookies from possible malicious origins. If a request arrives to Cloudflare's network without the expected binding cookie, Cloudflare rejects the CF_Authorization cookie.
Do not enable Binding Cookie if:
- You are using the Access application for non-browser based tools (such as SSH or RDP).
- You have enabled incompatible Cloudflare products on the application domain.
- You have turned on WARP authentication identity for the application.
The Cookie Path Attribute adds the application's path URL to the CF_Authorization cookie. When enabled, a user who logs in to example.com/path1 must re-authenticate to access example.com/path2. When disabled, the CF_Authorization cookie is only scoped to the domain and subdomain.
By default, some browsers block all third-party cookies in private browsing mode, including the CF_Authorization cookie. For XHR requests to work in private windows, you will need to exempt your application and team domain from the browser's tracking protection system.
To enable third-party cookies for an Access application:
Chrome
- Go to Settings > Privacy and security > Cookies and other site data.
- Under Sites that can always use cookies, add the following URLs:
- Hostname of your Access application (for example,
https://jira.site.com) https://<your-team-name>.cloudflareaccess.com
- Hostname of your Access application (for example,
Safari
- Go to Safari > Settings > Privacy.
- Deselect Block all cookies.
Firefox
- Go to Settings > Privacy & Security.
- Scroll down to Cookies and Site Data.
- Select Manage Exceptions.
- Enter the URL of your Access application (for example,
https://jira.site.com) and select Allow. - Enter
https://<your-team-name>.cloudflareaccess.comand select Allow. - Select Save Changes.
Brave
- Go to
brave://settings/cookies. - Under Sites that can always use cookies, add the following URLs:
- Hostname of your Access application (for example,
https://jira.site.com) https://<your-team-name>.cloudflareaccess.com
- Hostname of your Access application (for example,
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark