Session Identifier Cookies Only

We just had a penetration test and passed with flying colors, however one of the few recommendations we do have is that cookies should only be used for session identifiers, and that all non-session cookie information be moved to the server (or the database).

We are using ASP.Net MVC 5 …. I don’t see anywhere in the code that we are specifically doing anything with cookies (adding information).

What is the best way to go about resolving this? Should I use Fiddler or some similar tool to see what the cookies actually contain over the wire and go from there?