We noticed the same issue in our Java and PHP tiers. The documentation is very unclear that a 'magic' side-effect will happen that changes server-side responses to include different headers and cookies.
I opened a support ticket on the matter, and I'll include some of my notes here for public clarity, but first, this is what my support rep mentioned:
---
Browser RUM uses two different kinds of short-lived cookies to help it collect data and correlate events:
The ADRUM cookie: written by the JavaScript agent, this cookie contains the referral page URL and some timing information to assist gathering First Byte Time for some browser types. When the agent loads on the subsequent page, it reads the information and then deletes the cookie. If there is no agent on that page, the cookie is deleted when the browser is closed.
For privacy purposes, the URL of the referral page is hashed.The ADRUM_X_Y_Z cookies: written by the server-side agent when the page is served from an instrumented server. These cookies help correlate browser data with related server-side performance data.
If Browser RUM detects that the page is HTTPS, the cookies are HttpsOnly. None of the cookies contain any personally identifiable information (PII).
You have an option to stop these cookies on node level. You can disable this setting the following agent property:
enable-eum-cookie
type: Boolean
value: falseAs described at: https://docs.appdynamics.com/display/PRO41/App+Agent+Node+Properties
However if we set this to false, the Browser requests cannot be correlated to the Back End server calls.
If the app agent is 4.1 or above you can also use the following property:
always-add-eum-metadata-in-http-headers
and set it to true
It will also write the meta data into the headers for the JS agent to consume.
---
Note: I don't actually see these properties in the documentation
The second point is that, at least for us, adding extra data in cookies isn't really safe. We cache our responses in a CDN, which means there isn't even always going to be a sever-side response to monitor, unless the EUM implementation also uses headers to disable downstream caching. Alternatively (still looking into this), it could mean our CDN is caching these cookies, which would render this data inaccurate anyway.
Lastly, just for this thread, the response given to your initial request does not address your concern. Unless I've misread, you asked about disabling the automatic addition of cookies into the http response, while the reply is about disabling automatic injection of a javascript tag in the body of the response.