@@ -72,16 +72,19 @@ The HttpOnly flag is a cookie attribute that prevents the cookie from being acce
...
@@ -72,16 +72,19 @@ The HttpOnly flag is a cookie attribute that prevents the cookie from being acce
Do not enable HttpOnly if:
Do not enable HttpOnly if:
- You are using the Access application for non-browser based tools.
- You are using the Access application for non-browser based tools (such as SSH or RDP).
- You have software that relies on being able to access a user’s cookie generated by Access.
- You have software that relies on being able to access a user’s cookie generated by Access.
### Binding Cookie
### Binding Cookie
The Binding Cookie is an additional cookie created when a user successfully authenticates, shared with Cloudflare to verify identity, and then stripped before it reaches the origin server. The Binding Cookie associates the browser with the Access token; the association protects against compromised authorization tokens because the origin webapp would never see this binding cookie. This protects against session hijack style attacks.
The Binding Cookie is an additional cookie created when a user successfully authenticates, shared with Cloudflare to verify identity, and then stripped before it reaches the origin server. The Binding Cookie associates the browser with the Access token; the association protects against compromised authorization tokens because the origin webapp would never see this binding cookie. This protects against session hijack style attacks.
#### When not to use the Binding Cookie
#### When not to use Binding Cookie
Do not use the Binding Cookie for non-browser based Access applications that rely on protocols like SSH, RDP, etc.
Do not enable Binding Cookie if:
- You are using the Access application for non-browser based tools (such as SSH or RDP).
- You have enabled [Automatic Signed Exchanges](/speed/optimization/other/signed-exchanges/enable-signed-exchange/), [Automatic Platform Optimization](/automatic-platform-optimization) or [Zaraz](/zaraz) on the application domain.