The _cfduid cookie helps Cloudflare detect malicious visitors to our Customers’ websites and minimizes blocking legitimate users. It may be placed on the devices of our customers’ End Users to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It is necessary for supporting Cloudflare’s security features.
Privacy and the _cfduid cookie
The _cfduid cookie collects and anonymizes End User IP addresses using a one-way hash of certain values so they cannot be personally identified. The cookie is a session cookie that expires after 30 days.
The _cfduid cookie does not:
allow for cross-site tracking,
follow users from site to site by merging various _cfduid identifiers into a profile, or
correspond to any user ID in a Customer’s web application.
Generally, Cloudflare keeps user-level data (including the IP address of a requester) for less than 24 hours for domains in the Free, Pro and Business plans, and up to seven (7) days for Enterprise domains that have enabled Cloudflare Logs (formerly Enterprise LogShare or ELS). There may be exceptions with IP addresses that have triggered security alerts. You can find more information about what Cloudflare logs in this blog post.
Cloudflare has no control over how long a Customer may store downloaded Cloudflare Logs in their networks. Regarding any information that may live in cached content on our edge servers, our Customers control what data should be cached and for how long.
You can learn more about CloudFlare Cookies by clicking here: CloudFlare Cookies