I scanned our web application with qualysguard web application vulnerability scanner. Most of vulnerabilities are resolved but this 2 are sticking with report every time.
Actually we are not using cookies except session cookies in our entire web application. After scanning I have seen that scanner is detecting cookies in "cookies collected" section are only session cookies.
we have our session cookies with both "secure" and "httponly" attributes. So I am confused how this vulnerability is detecting every time.