From 4d27d311f6d598b799ce2cb2df88a1dc54ab8166 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Fri, 3 Jan 2014 12:02:58 -0500 Subject: [PATCH] Fixed a sentence in the session security docs; thanks claudep. --- docs/topics/http/sessions.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt index f7e8807945..2cf4751212 100644 --- a/docs/topics/http/sessions.txt +++ b/docs/topics/http/sessions.txt @@ -655,8 +655,8 @@ Session security ================ Subdomains within a site are able to set cookies on the client for the whole -domain. This makes session fixation possible if all subdomains are not -controlled by trusted users (or, are at least unable to set cookies). +domain. This makes session fixation possible if cookies are permitted from +subdomains not controlled by trusted users. For example, an attacker could log into ``good.example.com`` and get a valid session for their account. If the attacker has control over ``bad.example.com``,