Our site running Nop 4.30 is scanned by Trustwave and has failed as the .Nop.Customer cookie is flagged up as insecure. When I look in the dev tools in Chrome I only see the cookie as secure, however Trustwave sent this Curl output that shows 2 entries for .Nop.Customer, the first one doesn't have the secure flag set but the 2nd one does.
Any idea why there are two entries and how to stop this or ensure both are using the secure flag. It looks like the cookie is only set from WebWorkContext.SetCustomerCookie() which looks like it is setting the secure flag correctly.
[scan@scan-css-util-7 ~]$ curl -Ik https://82.223.26.91/
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: .Nop.Customer=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/
Set-Cookie: .Nop.Customer=7c0d8518-eeb2-4324-8187-fc7a53cfc9d3; expires=Thu, 05 Aug 2021 17:32:23 GMT; path=/; secure; httponly
Set-Cookie: .Nop.TempData=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; secure; samesite=lax; httponly