javax.servlet.SessionCookieConfig#getMaxAge states that by default -1 should be returned:

Gets the lifetime (in seconds) of the session tracking cookies created on behalf of the application represented by the ServletContext from which this SessionCookieConfig was acquired.
By default, -1 is returned.

Source

Undertow does not respect this since its javax.servlet.SessionCookieConfig implementation, SessionCookieConfigImpl, delegates to Undertow's io.undertow.server.session.SessionCookieConfig which defaults the maxAge attribute to zero.

We have recently implemented the ability to configure Spring Session's session cookie using SessionCookieConfig and this causes problems for Undertow users since we rely on -1 to indicate the default value, as defined by Servlet API spec.