My application uses session cookies. Somehow this cookie is injected with tracking information for a few users:
JSESSIONID=0624EF8E3E5E7CCBDB52BAE6C44C5AFB.jvm-application; optimizelySegments=%7B%22204658328%22%3A%22false%22%2C%22204736122%22%3A%22referral%22%2C%22204775011%22%3A%22ie%22%2C%22234726171%22%3A%22none%22%7D; optimizelyEndUserId=oeu6892721299353r0.9526657112221855; optimizelyBuckets=%7B%7D
The JSESSIONID is from my application while the optimizelyXXX elements appears to originate from optimizely.com, see optimizely FAQ .
How is this possible and what can I do? ModSecurity is complaining about possible injection. Of course I can disable this rule, but I want to understand what is happening.