Pen tests [regularly] come back with "JSESSIONID Cookie is not secure" issue. It's is very easy to fix by enforcing secure=true in web.xml yet it is rather annoying to have to explain it again and again. And it also means pretty much all customers make a mistake of not setting the flag. OTOH setting it to true impairs local development as browser will refuse to serve the cookie over http and require https which is mostly not available on localhost.

—via had, see thread in #security

Therefore we consider setting cookies as secure & http-only (not for client-scripts) by default, programmatically.

• Obtain SessionCookieConfig from ServletContext in MagnoliaServletContextListener, in a manner similar to the JndiSessionCookieConfigListener on the popular SO thread Forcing Tomcat to use secure JSESSIONID cookie over http, except without JNDI .
• Configuring other flags of the SessionCookieConfig is out of scope at this stage (can be exposed via MP config when the time comes).
• Disable this behavior when magnolia.develop=true, to mitigate impact on local-development instances