I am using Tomcat in my production environment and jetty in my testing environment (via jetty-maven-plugin).
Tomcat sets the secure-flag on a jsessionid-cookie, when it is sendig it over a secure channel (https), which looks like a good idea to me, becaus it prevents the session from being exposed, when the user klicks on a http://-link. But Jetty does not so!
I would like to force Jetty to behave like Tomcat and always set the secure-flag on jsessionid-cookies send over a secure channel, because otherwise, my testing environment behaves considerably diffrent then my production environment. But I cannot find any configuration option to achive this.
I am also wondering, if this is a security-bug in Jetty. Because not marking a jsessionid-cookie send over a secure channel as secure reveals the secure session if the user switches back to an unsecure channel.