Added some doc; refs #541

2 files changed, 17 insertions, 0 deletions

diff --git a/demos/quickstart/protected/pages/Advanced/Security.page b/demos/quickstart/protected/pages/Advanced/Security.page
index 226d7e49..0994a980 100755
--- a/demos/quickstart/protected/pages/Advanced/Security.page
+++ b/demos/quickstart/protected/pages/Advanced/Security.page
@@ -86,4 +86,13 @@ $cookie=new THttpCookie($name,$value);
 $this->Response->Cookies[]=$cookie;

 </com:TTextHighlighter>

 

+<p class="block-content">

+To avoid the possibility of identity theft through some variants of XSS attacks, <tt>THttpSession</tt> should always be configured to enforce <a href="http://php.net/manual/session.configuration.php#ini.session.cookie-httponly">HttpOnly</a> setting on session cookie.

+The HttpOnly setting is disabled by default. To enable it, configure the THttpSession module as follows,

+</p>

+<com:TTextHighlighter Language="xml" CssClass="source block-content">

+<modules>

+  <module id="session" class="THttpSession" Cookie.HttpOnly="true" >

+</modules>

+</com:TTextHighlighter>

 </com:TContent>

diff --git a/framework/Web/THttpSession.php b/framework/Web/THttpSession.php
index dd1cf854..6a2a3977 100644
--- a/framework/Web/THttpSession.php
+++ b/framework/Web/THttpSession.php
@@ -55,6 +55,14 @@
  * GCProbability}, {@link getUseTransparentSessionID UseTransparentSessionID}
  * and {@link getTimeout TimeOut} are configurable properties of THttpSession.
  *
+ * To avoid the possibility of identity theft through some variants of XSS attacks,
+ * THttpSessionshould always be configured to enforce HttpOnly setting on session cookie.
+ * The HttpOnly setting is disabled by default. To enable it, configure the THttpSession
+ * module as follows,
+ * <code>
+ * <module id="session" class="THttpSession" Cookie.HttpOnly="true" >
+ * </code>
+ *
  * @author Qiang Xue <qiang.xue@gmail.com>
  * @package System.Web
  * @since 3.0