As part of securing the application for production deployment, additional security configuration is required to instruct web browsers to restrict access to potentially sensitive cookie information. To configure this additional security, add the following text to both the application server and authorization server web.config files:
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>