Skip to content
Snippets Groups Projects
Unverified Commit ee19d752 authored by ranbel's avatar ranbel Committed by GitHub
Browse files

[ZT] Binding cookie limitations (#10493)

* pcx-8123

* edit wording
parent 77b91506
No related branches found
No related tags found
No related merge requests found
...@@ -72,16 +72,19 @@ The HttpOnly flag is a cookie attribute that prevents the cookie from being acce ...@@ -72,16 +72,19 @@ The HttpOnly flag is a cookie attribute that prevents the cookie from being acce
Do not enable HttpOnly if: Do not enable HttpOnly if:
- You are using the Access application for non-browser based tools. - You are using the Access application for non-browser based tools (such as SSH or RDP).
- You have software that relies on being able to access a user’s cookie generated by Access. - You have software that relies on being able to access a user’s cookie generated by Access.
### Binding Cookie ### Binding Cookie
The Binding Cookie is an additional cookie created when a user successfully authenticates, shared with Cloudflare to verify identity, and then stripped before it reaches the origin server. The Binding Cookie associates the browser with the Access token; the association protects against compromised authorization tokens because the origin webapp would never see this binding cookie. This protects against session hijack style attacks. The Binding Cookie is an additional cookie created when a user successfully authenticates, shared with Cloudflare to verify identity, and then stripped before it reaches the origin server. The Binding Cookie associates the browser with the Access token; the association protects against compromised authorization tokens because the origin webapp would never see this binding cookie. This protects against session hijack style attacks.
#### When not to use the Binding Cookie #### When not to use Binding Cookie
Do not use the Binding Cookie for non-browser based Access applications that rely on protocols like SSH, RDP, etc. Do not enable Binding Cookie if:
- You are using the Access application for non-browser based tools (such as SSH or RDP).
- You have enabled [Automatic Signed Exchanges](/speed/optimization/other/signed-exchanges/enable-signed-exchange/), [Automatic Platform Optimization](/automatic-platform-optimization) or [Zaraz](/zaraz) on the application domain.
### Cookie Path Attribute ### Cookie Path Attribute
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment