Session cookie's SameSite attribute isn't set (QVE-12-2019-14)
OWASP suggests setting the SameSite attribute for sessions cookies. Currently it isn't set.
More about SameSite: https://medium.com/compass-security/samesite-cookie-attribute-33b3bfeaeb95