diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt
index abc5d004b0..8904cd6578 100644
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@@ -732,8 +732,8 @@ Session security
 ================
 
 Subdomains within a site are able to set cookies on the client for the whole
-domain. This makes session fixation possible if all subdomains are not
-controlled by trusted users (or, are at least unable to set cookies).
+domain. This makes session fixation possible if cookies are permitted from
+subdomains not controlled by trusted users.
 
 For example, an attacker could log into ``good.example.com`` and get a valid
 session for his account. If the attacker has control over ``bad.example.com``,