Fixed a sentence in the session security docs; thanks claudep.

This commit is contained in:
Tim Graham 2014-01-03 12:02:58 -05:00
parent e6800ea136
commit 4d27d311f6
1 changed files with 2 additions and 2 deletions

View File

@ -655,8 +655,8 @@ Session security
================
Subdomains within a site are able to set cookies on the client for the whole
domain. This makes session fixation possible if all subdomains are not
controlled by trusted users (or, are at least unable to set cookies).
domain. This makes session fixation possible if cookies are permitted from
subdomains not controlled by trusted users.
For example, an attacker could log into ``good.example.com`` and get a valid
session for their account. If the attacker has control over ``bad.example.com``,