HOW do you make a cookie secure when it's HTTP-only??? That sounds like an innate contradiction.
HTTP is inherently insecure because it is unencrypted and easily read by any man-in-the-middle. That's the whole purpose for HTTPS.
Cookies are not magic. They're sent as lines of header text in the HTTP requests and responses. So anyone can intercept and abuse a cookie any time they want.
I don't know what security manager you're using and PLEASE don't tell me it's something some "genius" has cooked up, because unless that genius is a full-time security professional, my experience is that DIY security systems can be broken by non-technical persons in under 15 minutes about 90% of the time.
If you're using the security system that's built into the
JEE standard and thus into all JEE webapp servers (including
Tomcat and jetty), then proper app security requires that when you log in, your transport should be HTTPS and the login session key is transmitted in the
jsessionid cookie. To avoid exploits, the value of this cookie is changed to an unpredictable new value as part of the login process (which is why
you should NEVER cache jsessionid). The value of jsessionid contains no session information itself, only acting as a hash key to the webapp server's Map of jsessionid/HttpSession.
Aside from that, though, many modern-day webapp clients will scream in rage if you attempt to request via HTTP instead of HTTPS and in most cases, the HTTP URL will be rewritten as HTTPS. HTTP is simply not adequate for the open Internet these days.