[1.6.x] Fixed a sentence in the session security docs; thanks claudep.

Backport of 4d27d311f6 from master
2025-03-12 18:30:48 +00:00 · 2014-01-03 12:02:58 -05:00 · 2014-01-03 12:02:58 -05:00 · 2206321ff9
commit 2206321ff9
parent 7a4d2b8e3d
1 changed files with 2 additions and 2 deletions
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@ -653,8 +653,8 @@ Session security
 ================

 Subdomains within a site are able to set cookies on the client for the whole
-domain. This makes session fixation possible if all subdomains are not
-controlled by trusted users (or, are at least unable to set cookies).
+domain. This makes session fixation possible if cookies are permitted from
+subdomains not controlled by trusted users.

 For example, an attacker could log into ``good.example.com`` and get a valid
 session for his account. If the attacker has control over ``bad.example.com``,