The session cookie's domain defaults to that of the requested host. It is often useful to set that to a parent domain (e.g. example.com rather than www.example.com).

Undertow could provide a per-application and global configuration option to change the cookie domain. In Tomcat, this requires the use of a custom valve such as https://github.com/nekop/java-examples/blob/master/customvalve/src/main/java/com/redhat/jboss/support/ConfigureSessionCookieValve.java