Ah, to answer my own question, it seems I can just extend DefaultWebSessionManager (which I already did for my project) and set the attribute on the cookie in the constructor. Basically, I have:
That was easy! I can see not wanting to set this by default, but it might make sense for Shiro to have a SecureWebSessionManager class that did this. -- View this message in context: http://shiro-user.582556.n2.nabble.com/JSESSIONID-not-Secure-tp7579894p7579895.html Sent from the Shiro User mailing list archive at Nabble.com.
