When scanning an app on web-vulnerabilities, the following vulnerability message appears: "Session cookie without secure flag set" This involves the cookies XASESSIONID and XASIS. The attempt to fix this by setting the secure flag in the web.config (<httpcookies requiressl="true"/>) on IIS failed, the vulnerability still exists. Anyone has an idea how to resolve this?