I have looked at the use case in more details. When there is load
balancer, the web container itself may not have enough information to
validate those port numbers before encoding.
In this case, I would suggest to just add a method to API so that users
can check whether the session is secure and do appropriate changes if
necessary.
Shing Wai Chan