I want to set 'secure' flag to JSESSIONID cookie . Is there a configuration in tomcat 6 for this ?

I tried by setting 'secure="true"' in 'Connector' (8080) element of server.xml , but it creates problems ....thats Connection is getting reset .

Note that in my application , the JSESSIONID is getting created in 'http' mode ( index page ) , when the user logins , it will switch into 'https' mode.

If you are using tomcat 6 you can do the following workaround

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure ; HttpOnly");

see https://www.owasp.org/index.php/HttpOnly for more information

use the attribute useHttpOnly="true". In Tomcat9 the default value is true.