Vulnerabilities:
"Cookie set insecurely: "
"Secure cookie set outside a page served via SSL: "
"Found a persistent cookie: "
"Cookies that could be cached at proxies: "
"Cookie does not have HTTP-Only attribute: "
Remediation
Insecure Cookies: For security of sensitive information, cookies must be marked as secure and only be transmitted if the communications channel with the host is a secure one. Servers should use SSL in this case.
HTTPOnly Cookies: To avoid access and manipulation of cookies in the script, the HTTPOnly attribute should be set for the cookie.
Cacheable Cookies: If the cookie is intended for use by a single user(for private documents), the Set-cookie header should not be cached. To suppress caching of the Set-Cookie header, the origin server should send Cache-control: no-cache="set-cookie" response header.
Persistent Cookies: Cookie which is used to store session-id information should not be persistent; expires or max age attribute for the cookie should be set accordingly, so that cookie information is valid only for the session.
这应该是安全产品扫描出来的吧