We are making lookback api calls to Rally prod from our gateway servers, but we are noticing Cookie rejected warning message in our logs as below

timestamp: 2021-12-06T15:05:03

query url: rally1.rallydev.com/analytics/v2.0/service/rally/workspace/<Workspace OID>/artifact/snapshot/query.js

{"@timeStamp":"2021-12-06T15:05:03,752","thread":"pool-4-thread-2","level":"WARN","loggerName":"org.apache.http.client.protocol.ResponseProcessCookies","message":"Cookie rejected: "[version: 0][name: JSESSIONID][value: <JSESSIONID_VALUE>][domain: <Hostname>][path: /analytics][expiry: null]". Illegal path attribute "/analytics". Path of origin: "/caac/saas/analytics/v2.0/service/rally/workspace/<Workspace OID>/artifact/snapshot/query.js""}

Could you verify  why this warn message is returned in response and also confirm if the cookie is formed as expected

Release :

Component :

Cookies are provided by the server (us) to the client (you). Clients that are conforming to proper standards will reject a cookie whose domain name does not match what the client is expecting.  This is client security to prevent rogue websites from reading and/or writing sensitive cookie information for websites that they do not have access to.

In this case, the client believes that the cookie should be provided by <Hostname>, but we are providing our cookie with a sandbox.rallydev.com hostname and the client is rejecting it, as it should.

Normally, any deviation from that behavior would be handled client-side through configuration.  It is up to the client to decide if it wants to handle a less secure scenario, not up to the server.  As such, there is nothing for us to whitelist.