diff options
| author | Tim Graham <timograham@gmail.com> | 2014-01-03 12:02:58 -0500 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-01-03 12:04:18 -0500 |
| commit | 2206321ff9494c5f05350def8b50d9680c59adca (patch) | |
| tree | 1eaf8cec2b1ac4c91e03c7bf8d9980db696c3ef0 /docs | |
| parent | 7a4d2b8e3d785f518ceec74c7ead862b84715618 (diff) | |
[1.6.x] Fixed a sentence in the session security docs; thanks claudep.
Backport of 4d27d311f6 from master
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/topics/http/sessions.txt | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt index d8aa2d5ccc..c9c38ed4a9 100644 --- a/docs/topics/http/sessions.txt +++ b/docs/topics/http/sessions.txt @@ -653,8 +653,8 @@ Session security ================ Subdomains within a site are able to set cookies on the client for the whole -domain. This makes session fixation possible if all subdomains are not -controlled by trusted users (or, are at least unable to set cookies). +domain. This makes session fixation possible if cookies are permitted from +subdomains not controlled by trusted users. For example, an attacker could log into ``good.example.com`` and get a valid session for his account. If the attacker has control over ``bad.example.com``, |
