I think I've found a bug in undertow and I have patch.  I thought I'd explain.  We have multiple War's serving a site.  One war covers the root context '/' and a variety of sub paths/contexts.  A couple of other war's server specific sub contexts, such as /selfserve.  If you open a browser and go to / and look at the browser cookies you will see JSESSIONID with path=/.  Then go to /selfserve and look at the cookies.  You now have two JSESSIONID cookies.  One for path=/ and one for path=/selfserve.  As far as I know this is all normal and correct.  From here when my app tries to use the session it fails in various ways.  What I found was that if I deleted the JSESSIONID cookie that was associated with path=/ then everything worked.  After digging around in the code I found where the cookies are being added to a HashMap by the name.  It looks like the last cookie loaded wins, which means the correct cookie is loaded first then overridden by the wrong one.