From 1ccfcbe13e636584b19575c53e029918b70a3b39 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Fri, 3 Jan 2014 12:02:58 -0500 Subject: [PATCH] [1.5.x] Fixed a sentence in the session security docs; thanks claudep. Backport of 4d27d311f6 from master --- docs/topics/http/sessions.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt index abc5d004b0..8904cd6578 100644 --- a/docs/topics/http/sessions.txt +++ b/docs/topics/http/sessions.txt @@ -732,8 +732,8 @@ Session security ================ Subdomains within a site are able to set cookies on the client for the whole -domain. This makes session fixation possible if all subdomains are not -controlled by trusted users (or, are at least unable to set cookies). +domain. This makes session fixation possible if cookies are permitted from +subdomains not controlled by trusted users. For example, an attacker could log into ``good.example.com`` and get a valid session for his account. If the attacker has control over ``bad.example.com``,