Forcing Tomcat to use secure JSESSIONID cookie over http

Question

Is there a way to configure Tomcat 7 to create JSESSIONID cookie with a secure flag in all occasions?

Usual configuration results in Tomcat flagging session cookie

Answer 1

In the end, contrary to my initial tests, web.xml solution worked for me on Tomcat 7.

E.g. I added this snippet to web.xml and it marks session cookie as secure even when reverse proxy contacts tomcat over plain HTTP.

    
        true
        true