ASP.Net MVC5 set secure and HTTPOnly flags

Question

I need to set the httponly and the secure flag to all the cookies of my site to pass the security scans of my customer. The web.config is configured correctly I think

<system.web>
   <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />

And it is working for all the cookies I create inside my application, but not for google analitycs ones (I know I can not do anything about it) and what I suppose are the session cookies of asp.net (ai_user and ai_session).

Searching for this two cookies lead to nothing. How can I force the httponly and secure flags?

I do not know if it is related, but I have also this rewrite rule

<rewrite>      
  <rules>
    <rule name="HTTP to HTTPS redirect" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
      </conditions>
      <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
    </rule>
  </rules>
</rewrite>

I tried to disable it, but nothing changed

Answer 1

I stumbled upon "ai_session" and "ai_user" cookies now with my project and I think they are from application insights. If you investigate further, please report back to community.