Cookie Security: Misconfigured Prefix

A cookie was created with __Host- or __Secure- prefix must have the Secure attribute set, must not set Domain attribute, and must restrict Path attribute value to /.

Cookies with names that start with the __Host- and __Secure- prefix must be set with the secure attribute. They must be set from a secure page (HTTPS). Additionally, a __Host- prefixed cookie must not have a domain attribute specified (so that it is not sent to subdomains) and the path attribute must be set to /. Violation of these rules can cause a browser to reject the cookie. Restricting a cookie's access to a secure channel protects it from being sent or being overwritten by a forged site over an unencrypted HTTP channel. Restrictions provided by the __Host prefix prevent a cookie from being accessed by a subdomain where the subdomain might be owned by different entities such as a shared blog platform.