diff options
| author | Tim Graham <timograham@gmail.com> | 2014-01-03 12:02:58 -0500 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-01-03 12:02:58 -0500 |
| commit | 4d27d311f6d598b799ce2cb2df88a1dc54ab8166 (patch) | |
| tree | 4f39b7bde3cc5051742df671d4ef18d30847bc09 /docs | |
| parent | e6800ea136aaa882682dbb7dc54423c5f002b551 (diff) | |
Fixed a sentence in the session security docs; thanks claudep.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/topics/http/sessions.txt | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt index f7e8807945..2cf4751212 100644 --- a/docs/topics/http/sessions.txt +++ b/docs/topics/http/sessions.txt @@ -655,8 +655,8 @@ Session security ================ Subdomains within a site are able to set cookies on the client for the whole -domain. This makes session fixation possible if all subdomains are not -controlled by trusted users (or, are at least unable to set cookies). +domain. This makes session fixation possible if cookies are permitted from +subdomains not controlled by trusted users. For example, an attacker could log into ``good.example.com`` and get a valid session for their account. If the attacker has control over ``bad.example.com``, |
