We have received this official response from MS Clarity Team: The _clck cookie in Clarity helps stitch sessions for the same user by using a random user ID and user preferences, including the date represented as a base36 string to optimize performance. During a specific time window, the date was represented as "ftp" in base36, which led to a false positive from the WAF ruleset, mistakenly identifying it as an FTP protocol attack. Clarity will now set a different value since the date has changed - automatically resolving the conflict with the WAF rule set. We recommend reviewing the WAF rules to prevent such false positives. Additionally, we are working to ensure that our randomly generated strings in cookies do not contain sensitive keywords.
Issue with MS Clarity and F5 WAF Blocking _uetsid Cookie (Containing "ftp" String)
Dear Team,
We've encountered a widespread issue affecting many of our websites that utilize Microsoft Clarity. Our F5 Web Application Firewall (WAF) is blocking the _uetsid
cookie, specifically due to the presence of the string "ftp" within its value.
Example of the blocked cookie: _uetsid=a6f3bd20f28b11ef9c2255706f8b86cf|198c6ic|2|ftp|0|1234
Our security team flags the "ftp" string as potentially indicative of an attempt to inject executable commands within the cookie.
Key Questions:
- Is there a legitimate reason for Microsoft Clarity to include the string "ftp" within the
_uetsid
cookie? This appears to be the trigger for our WAF's security rules. - Can we expect Microsoft to address this issue in a future update to Clarity? This is causing significant disruption to our website analytics.
We appreciate your prompt attention to this matter.
Thank you,
Community Center | Not monitored
2 additional answers
Sort by: Most helpful
-
Alexander Paterikin 0 Reputation points
2025-02-24T22:37:22.5333333+00:00 Hi.
We also experienced the same issue today with the 'ftp' value in the _clck cookie, but it resolved itself 'magically' about 30 minutes ago.
We discovered that code was automatically added to our page, which was loading a script from https://www.clarity.ms/s/0.7.69/clarity.js and generating the _clck cookie.
After the issue disappeared, we found that the clarity.js script was no longer present, and the cookie is no longer being created.
Everything seems to be working ok now.
-
JOSE ANDRES ORTIZ GONZALEZ 96 Reputation points
2025-02-25T14:02:33.4133333+00:00 Hi, now We see the FTQ in the _clck cookie value, maybe Microsoft now resolved the issue changing FTP by FTQ. Please anyone else noticing this change? Thanks