I've created a webdirect solution "web form" where I'm asking users to input personal data and want to make sure it is secure. My web security team flagged my process saying the website doesn't secure the JSESSIONID cookie, and it could be susceptible to a MITM (man in the middle) attack.
I am using Windows Server 2012r2 with latest patches and IIS 8 -- I have a signed and trusted CA from one of the approved authorities. I have tried to tweak the IIS settings every which way, but still can't resolve the first JSESSIONID cookie to be sent as secure only.
How should I mitigate this specific security issue?
Thank you for your input.