Like all the other questions regarding cookies and security scan, is there a way to mark the "EPiSessionId" cookie secure AND httpOnly?
I've already set:
<httpCookies requireSSL="true" httpOnlyCookies="true" />
and even tried to intercept the response cookies and override the settings -- but did not work.