Affects Version/s: 3.5.1
Fix Version/s: 4.4.0
From the ticket opened by a customer:
The application web server does not set the Secure attribute when generating certain application cookies. Without the Secure flag set, the web server will transmit the cookie in clear text if the application is accessible over an unencrypted channel. Consequently, an attacker can view any sensitive data in the cookie and gain unauthorized access to the application by hijacking a user’s session.
The following cookies were generated without the Secure attribute set.
This finding was discovered on the following application pages.
Here's a couple of links describing the nature of the secure attribute/flag: