I know we can do something like this:

<session-config>
 <cookie-config>
 <secure>true</secure>
 </cookie-config>
</session-config>

But what I want to achieve is to set this flag (true or false) based on some config.

Should we use a filter and how ?

Thanks

Assuming that you are in a servlet 3.0+ environment, and you don't want to use web.xml to specify the cookie-secure-flag but set it programmatically:

Implement a ServletContextListener and register it in the web.xml or via annotation.
In its contextInitialized method evaluate your secure flag from your config and set it on the SessionCookieConfig:

public void contextInitialized(ServletContextEvent sce) {
     boolean secure = ...
     sce.getServletContext().getSessionCookieConfig().setSecure(secure);
}