After upgrading to Episerver 11, I've noticed session cookies like EPi:StateMarker and EPi:ViewedPages, with value "true" and "244" respectively in our production environment only. They aren't a problem in themselves, but they are not marked secure nor httpOnly, which triggers warnings from our security scanning tool.
Does anyone have any idea where they come from and how to secure them?