Cookies penetration test remediations

Good day,

We recently had penetration testing conducted on our HealthShare clinical viewer and patient Index instances and below is the recommendation

1. Set a same-site cookie for identified CSPWSERVERID. Please advise where I can do this as I only saw this on web gateway settings and it has enable and disable options only.

2. Avoid the usage of session cookies as an Anti-CSRF Token on identified cookie IRISSessionToken. Please advise if this is used as a session as they mentioned that if it's not used as a session we can ignore their recommended remediation. I found that this is set under %CSP.Login.Please provide a motivation for not removing this if we opt not to remove it as per the findings.