Added some doc; refs #541

author: Fabio Bas <ctrlaltca@gmail.com> 2015-01-13 18:03:29 +0100
committer: Fabio Bas <ctrlaltca@gmail.com> 2015-01-13 18:03:29 +0100
commit: 1a6bb55ce57681d79cc040582f62b905dab170a8 (patch)
tree: 2b5a8a2f2b15533295365ee7bc9d47d85bf02101 /demos/quickstart/protected
parent: d7a084b30771a8abbfb66856773def1b01b13a9e (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/demos/quickstart/protected/pages/Advanced/Security.page b/demos/quickstart/protected/pages/Advanced/Security.page
index 226d7e49..0994a980 100755
--- a/demos/quickstart/protected/pages/Advanced/Security.page
+++ b/demos/quickstart/protected/pages/Advanced/Security.page
@@ -86,4 +86,13 @@ $cookie=new THttpCookie($name,$value);
 $this->Response->Cookies[]=$cookie;
 </com:TTextHighlighter>
 
+<p class="block-content">
+To avoid the possibility of identity theft through some variants of XSS attacks, <tt>THttpSession</tt> should always be configured to enforce <a href="http://php.net/manual/session.configuration.php#ini.session.cookie-httponly">HttpOnly</a> setting on session cookie.
+The HttpOnly setting is disabled by default. To enable it, configure the THttpSession module as follows,
+</p>
+<com:TTextHighlighter Language="xml" CssClass="source block-content">
+<modules>
+  <module id="session" class="THttpSession" Cookie.HttpOnly="true" >
+</modules>
+</com:TTextHighlighter>
 </com:TContent>
author	Fabio Bas <ctrlaltca@gmail.com>	2015-01-13 18:03:29 +0100
committer	Fabio Bas <ctrlaltca@gmail.com>	2015-01-13 18:03:29 +0100
commit	1a6bb55ce57681d79cc040582f62b905dab170a8 (patch)
tree	2b5a8a2f2b15533295365ee7bc9d47d85bf02101 /demos/quickstart/protected
parent	d7a084b30771a8abbfb66856773def1b01b13a9e (diff)