Session cookies or other sensitive cookies are set without the Secure flag, allowing them to be transmitted over unencrypted HTTP connections.
An attacker performing a man-in-the-middle attack on an unencrypted connection could intercept session cookies or other sensitive cookie values.
Set the Secure flag on all cookies containing sensitive information. Enforce HTTPS across the entire application. Implement HSTS to prevent HTTP downgrade attacks.