Problem with Cookie Domain

[daverubens]

Hello - long time user first time issue reporter here.

I am having an issue that appears to be identical to an issue that was closed a few years ago: Issue #28 . I'm receiving the following error in running my tests:

WARNING: Cookie rejected: "$Version=0; BrowserId=****YrlEeqX0oUZgzlGmg; $Path=/; $Domain=.salesforce.com". Domain attribute ".salesforce.com" violates RFC 2109: host minus domain may not contain any dots

A couple of things:

1. We are using custom domains for our sandboxes.
2. I've run curl commands and I'm able to receive an access token, though the curl response does indicate that the cookie domain is ".salesforce.com".
3. There has been a recent change in salesforce that was just enforced on sandboxes to "Stabilize the Hostname" on sandboxes: link. This may be applicable as the refresh of sandboxes with this critical update enabled seems to coincide with failure of ApexUnit. NOTE: we have been running this successfully for 2+ years so this is NEW that we are having this problem. We've documented the setup of the Connected App and that has not changed - this is the only thing I can think of that is different.

Here is my curl output for reference.

$ curl -v https://< our my domain >.my.salesforce.com/services/oauth2/token -d "grant_type=password" -d "client_id=******.6IFhNpPozsW7VReCPtBkiLQ6SYhe0_dpLfro_nRDTztg4IKNU0QmvIqXnKwl5kAsswBfuh.4qmWgI" -d "client_secret=******A74B77E07E0CC6A7EBC4635F729F009209A6C00132351B396F50CC6B1" -d "username=< username >" -d "password=< password >"
*   Trying xx.xx.xx.xx:443...
* TCP_NODELAY set
* Connected to < our my domain >.my.salesforce.com (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /Users/*****/opt/anaconda3/ssl/cacert.pem
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=salesforce.com, inc.; CN=*.cs32.force.com
*  start date: Oct 18 00:00:00 2019 GMT
*  expire date: Oct 18 12:00:00 2020 GMT
*  subjectAltName: host "<our my domain>.my.salesforce.com" matched cert's "*.my.salesforce.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> POST /services/oauth2/token HTTP/1.1
> Host: <our my domain>.my.salesforce.com
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 267
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 267 out of 267 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Thu, 30 Apr 2020 14:39:35 GMT
< Strict-Transport-Security: max-age=31536004; includeSubDomains
< Public-Key-Pins-Report-Only: pin-sha256="******nSRF+W4W4JTq51avSXkWhQB8duS2bxVLfzXsY="; pin-sha256="******w0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="; pin-sha256="******+22dNXAi+yb8e3UMypgzPUPHlv4+foULwl1g="; max-age=86400; includeSubDomains; report-uri="https://a.forcesslreports.com/hpkp-report/00Dr0000000*****";
< Expect-CT: max-age=86400, report-uri="https://a.forcesslreports.com/Expect-CT-report/00Dr0000000*****"
< X-Robots-Tag: none
< Cache-Control: no-cache,must-revalidate,max-age=0,no-store,private
< Set-Cookie: BrowserId=acdiy4rwEeq_zYtHwfJyVw; **_domain=.salesforce.com_**; path=/; expires=Fri, 30-Apr-2021 14:39:35 GMT; Max-Age=31536000
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-ReadOnlyMode: false
< Content-Type: application/json;charset=UTF-8
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< 
* Connection #0 to host <our my domain>.my.salesforce.com left intact
{"access_token":"00Dr0000000****!******MWb25.1dM.ziwjg0c.r_GD5YAK.dqRkct6hmj80rIZNM1TZ7fI56FQ0cA87VmIxHck.TgV1NlUlgFvo.Y5K6JbKGB2","instance_url":"https://cfpb--<our my domain>.my.salesforce.com","id":"https://test.salesforce.com/id/00Dr0000000*******/005t0000001*******","token_type":"Bearer","issued_at":"1588257576086","signature":"*******t98CN2QnEvArJrmaEBnPKIuo7ZHFg8FlDgQ="}

Other things I've tried:

1. using the pod instead of the custom domain in the curl call (this works - meaning i receive an access token - but it doesn't fix the domain issue)
2. I've tried this on 2 different sandboxes and it's failing.

Any ideas? Thanks in advance!