https://bz.apache.org/bugzilla/show_bug.cgi?id=64921
--- Comment #4 from Mark Thomas <ma...@apache.org> --- You should be able to do this in the Valve: SessionCookieConfig scc = request.getContext().getServletContext().getSessionCookieConfig() Then the logic used when the session cookie is created is: sessionCookie.setSecure(request.isSecure() || scc.isSecure()) It should be possible to replicate that in the Valve. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org