summaryrefslogtreecommitdiff
path: root/framework/Web/THttpSession.php
diff options
context:
space:
mode:
authorFabio Bas <ctrlaltca@gmail.com>2015-01-13 18:03:29 +0100
committerFabio Bas <ctrlaltca@gmail.com>2015-01-13 18:03:29 +0100
commit1a6bb55ce57681d79cc040582f62b905dab170a8 (patch)
tree2b5a8a2f2b15533295365ee7bc9d47d85bf02101 /framework/Web/THttpSession.php
parentd7a084b30771a8abbfb66856773def1b01b13a9e (diff)
Added some doc; refs #541
Diffstat (limited to 'framework/Web/THttpSession.php')
-rw-r--r--framework/Web/THttpSession.php8
1 files changed, 8 insertions, 0 deletions
diff --git a/framework/Web/THttpSession.php b/framework/Web/THttpSession.php
index dd1cf854..6a2a3977 100644
--- a/framework/Web/THttpSession.php
+++ b/framework/Web/THttpSession.php
@@ -55,6 +55,14 @@
* GCProbability}, {@link getUseTransparentSessionID UseTransparentSessionID}
* and {@link getTimeout TimeOut} are configurable properties of THttpSession.
*
+ * To avoid the possibility of identity theft through some variants of XSS attacks,
+ * THttpSessionshould always be configured to enforce HttpOnly setting on session cookie.
+ * The HttpOnly setting is disabled by default. To enable it, configure the THttpSession
+ * module as follows,
+ * <code>
+ * <module id="session" class="THttpSession" Cookie.HttpOnly="true" >
+ * </code>
+ *
* @author Qiang Xue <qiang.xue@gmail.com>
* @package System.Web
* @since 3.0