cookie.setVersion(1);
I think I found my own answer in that it appears that Firefox can accept
a version 1 (RFC 2109) cookie, which we were using because the email
address contains an '@' that's not allowed as a value in version 0
cookies. When we converted to version 0 and encoded the @,
We set a secure cookie over HTTPS using:
javax.servlet.http.Cookie cookie = new javax.servlet.http.Cookie(name,
value);
cookie.setVersion(1);
cookie.setMaxAge(60*60*24*90); // 90 days in seconds
cookie.setSecure(request.isSecure());
response.addCookie(cookie);
This works in Firefox and Chrome.