If you intend your site to always use HTTPS to serve pages or if your http downloads do not require authentication then set cookies as secure only. Any HTTP (non HTTPS) request will not include the cookies. If you are unable to set this flag for some reason you may want to reevaluate your appraoach as it really should be set.
For standard forms authentication it can be set like so in the web.config under system.web
<httpCookies requireSSL=“true” />
For OWIN you may need to set a flag like below. You can use a parameter in your app settings to turn it off and on in development\production.
if (ConfigurationManager.AppSettings[“SetMyCookieAsSecure”] == “true”)
cookieSecureOption = CookieSecureOption.Always;