The usual reply from the auditor is that even though this is not session
related, hackers can exploit this and redirect the url to some place
unintended. So the best practice is to not allow such exploitation for any
cookies. To keep the auditor happy we have to use an apache frontend to
rewrite this cookie. Hopefully this can get priority to be fixed in grafana
itself.