There is no way to “scan” the cookies your application might set to clients. Imagine a situation where your application sets 2 cookies for visitors from US while the scanning tool runs from Europe, or a cookie that is set when an order is made. You need to either *know* the full codebase and what might be set based on different criteria, or write code to record all your responses with set-cookie involved to identify the cookies you might set.
No external “cookie scanning” tool can ever be 100% correct.
