diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt
index f7e8807945..2cf4751212 100644
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@@ -655,8 +655,8 @@ Session security
 ================
 
 Subdomains within a site are able to set cookies on the client for the whole
-domain. This makes session fixation possible if all subdomains are not
-controlled by trusted users (or, are at least unable to set cookies).
+domain. This makes session fixation possible if cookies are permitted from
+subdomains not controlled by trusted users.
 
 For example, an attacker could log into ``good.example.com`` and get a valid
 session for their account. If the attacker has control over ``bad.example.com``,