Running in Wildfly-11.0.0.Final, JSESSIONID cookies are not being set with configured attributes when servlets in an EAR are accessed, but are set correctly when servlets in a separate WAR are accessed.  The EAR uses a large number of 3rd party libraries, many of which were recently upgraded to deal with results of a security audit.  Using an old version of the EAR, the session cookie attributes are set as configured, but not with the upgraded versions of the jars.

I'm looking for suggestions about how to debug this problem.  Is there some logging that can be turned on, or a way to trace servlet filter chains, a way to determine where the undertow subsystem sets the session cookie, and whether anything can interfere with that header once it has been set or inhibit the setting of configured attributes, etc?

For testing, I've set the max-age property of the session cookie in the standalone.xml configuration file, and can look at the cookies in browser development tools to see whether it has an explicit expiration.

It's not possible to revert the library versions one at a time owing to incompatibilities between older and newer libraries.