Session cookies without __Host- or __Secure- prefix

Cookie prefixes (__Host- and __Secure-) are naming conventions that instruct browsers to enforce stricter security rules on those cookies, such as requiring HTTPS and blocking them from being set by subdomains. Without these prefixes, an attacker who compromises a subdomain of your site could potentially plant a malicious cookie that overrides a legitimate one, leading to session hijacking. Rename session and authentication cookies to use the __Host- prefix (strongest) or __Secure- prefix, and ensure they have the Secure flag set.