Introduction

A Cloudflare Access login loop usually means authentication is succeeding somewhere, but the application session is not being recognized on the next request. That can happen when the protected hostname, callback path, identity policy, or cookie scope does not line up with what the browser actually returns after login. The fix is to trace the exact host and session flow from challenge to post-login request.

Symptoms

  • Users log in through Cloudflare Access but are sent back to the login screen again
  • The protected app never loads even though identity verification appears successful
  • The loop happens only on one hostname, browser, or environment
  • The issue started after changing Access policies, hostnames, or application routing
  • Direct origin access may work while Access-protected access loops repeatedly

Common Causes

  • The Access application is configured for a different hostname than the one users visit
  • Session cookies are scoped incorrectly for the protected domain or subdomain
  • Identity or allow rules conflict and force repeated re-evaluation after login
  • Callback or redirect URLs no longer match the application's real public route
  • Upstream redirects bounce users between hostnames in a way that invalidates the Access session

Step-by-Step Fix

  1. Reproduce the loop on a specific hostname and record the exact redirect sequence from login to the repeated challenge.
  2. Confirm the Cloudflare Access application configuration matches the hostname users actually visit.
  3. Review cookie domain and session behavior to make sure the browser can return the Access session on the follow-up request.
  4. Check whether the application or proxy redirects users between different hostnames, paths, or protocols after authentication.
  5. Inspect Access policies for overlapping or conflicting rules that may challenge the same user again immediately.
  6. Verify any identity provider callback and post-login destination still align with the current public app URL.
  7. Test with a clean browser session after correcting hostname, cookie, or redirect mismatches.
  8. Confirm the protected application now loads on the first authenticated request without returning to the Access prompt.
  9. Keep Access hostname ownership and redirect behavior documented so future routing changes do not reintroduce loops.