I've been testing the secure-cookie() handler and it doesn't work for an app server I use which doesn't set cookies via exchange.setResponseCookie() or servletResponse.addCookie() but instead sets a manually-created "set-cookie" header via servletResponse.addHeader().  This is because the 
SecureCookieCommitListener doesn't "see" the headers when it calls exchange.responseCookies().  
 
I suggest an enhancement to the SecureCookieCommitListener to also look through the response headers for any "set-cookie" headers and modify them as well.  Note, this will likely require parsing the header value.