All interactions between the client and the application should be tested at least against the following criteria:
Are all Set-Cookie directives tagged as Secure?
Do any Cookie operations take place over unencrypted transport?
Can the Cookie be forced over unencrypted transport?
If so, how does the application maintain security?
Are any Cookies persistent?
What Expires = times are used on persistent cookies, and are they reasonable?
Are cookies that are expected to be transiently configured as such?
What HTTP/1.1 Cache-Control settings are used to protect Cookies?
What HTTP/1.0 Cache-Control settings are used to protect Cookies?
How many cookies are used by the application?
Which parts of the application generate and/or modify the cookie?
Which parts of the application require this cookie in order to be accessed and utilized?
Testing methods
Mitigation