Say I have a simple Ajax webpage and a Java backend (Tomcat).
The webpage has Google analytics enabled, among others.
I was surprised to see the GA cookies (__utma et al) on my Tomcat logs.
I guess it has something to do with the fact that the webpage is part of the app (share the same domain) and the GA cookies have / for path.
Other than separating the API from the webpage host address, is there anything I can do to prevent GA cookies from reaching the backend?
If you are seeing _utma cookies you are using a deprecated version of GA. You should update to Universal Analytics, if you can't do that your only hope is to configure your logs not to include cookie data (I'm not a Tomcat expert but Im fairly sure that's possible).
If you use Universal Analytics there is much less cookie data in any case (UA mostly uses a single cookie to persist a client id. Classic Analytics used up to 5 cookies with a very convoluted format).
If you have some control over the frontend you can configure GA to not use cookies at all. Since without cookies GA cannot maintain a session due to a lack of a persistent client id you need to supply a client id yourself.
This is usually done via serverside scripting, which would not actually help you since that would require another cookie set by yourself, so you'd just move the problem around. But there are other clientside ways to store data.
This answer suggest a way to use localstorage to persist the client id which should work at least as long as you are not doing cross domain tracking (if you do you need to decorate links yourself with the client id and take it from the query string yourself on the receiving site).
Note that if you do content experiments (Googles stunted approach to A/B testing) this will generate another first party cookie not covered by the localstorage approach.
