Recently we installed AES in test server and it undergone pen test. There is one finding related to SSL cookie. Please find below problem decription
Problem Description : The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.