summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2014-01-03 12:02:58 -0500
committerTim Graham <timograham@gmail.com>2014-01-03 12:04:18 -0500
commit2206321ff9494c5f05350def8b50d9680c59adca (patch)
tree1eaf8cec2b1ac4c91e03c7bf8d9980db696c3ef0 /docs
parent7a4d2b8e3d785f518ceec74c7ead862b84715618 (diff)
[1.6.x] Fixed a sentence in the session security docs; thanks claudep.
Backport of 4d27d311f6 from master
Diffstat (limited to 'docs')
-rw-r--r--docs/topics/http/sessions.txt4
1 files changed, 2 insertions, 2 deletions
diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt
index d8aa2d5ccc..c9c38ed4a9 100644
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@@ -653,8 +653,8 @@ Session security
================
Subdomains within a site are able to set cookies on the client for the whole
-domain. This makes session fixation possible if all subdomains are not
-controlled by trusted users (or, are at least unable to set cookies).
+domain. This makes session fixation possible if cookies are permitted from
+subdomains not controlled by trusted users.
For example, an attacker could log into ``good.example.com`` and get a valid
session for his account. If the attacker has control over ``bad.example.com``,