[1.5.x] Fixed a sentence in the session security docs; thanks claudep.

Backport of 4d27d311f6 from master
2014-01-03 12:02:58 -05:00 · 2014-01-03 12:02:58 -05:00 · 1ccfcbe13e
parent ca4cd3fd10
commit 1ccfcbe13e
1 changed files with 2 additions and 2 deletions
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@ -732,8 +732,8 @@ Session security
 ================

 Subdomains within a site are able to set cookies on the client for the whole
-domain. This makes session fixation possible if all subdomains are not
-controlled by trusted users (or, are at least unable to set cookies).
+domain. This makes session fixation possible if cookies are permitted from
+subdomains not controlled by trusted users.

 For example, an attacker could log into ``good.example.com`` and get a valid
 session for his account. If the attacker has control over ``bad.example.com``,