We just had a penetration test and passed with flying colors, however one of the few recommendations we do have is that cookies should only be used for session identifiers, and that all non-session cookie information be moved to the server (or the database).
We are using ASP.Net MVC 5 …. I don’t see anywhere in the code that we are specifically doing anything with cookies (adding information).
What is the best way to go about resolving this? Should I use Fiddler or some similar tool to see what the cookies actually contain over the wire and go from there?