diff options
author | Fabio Bas <ctrlaltca@gmail.com> | 2015-01-13 18:03:29 +0100 |
---|---|---|
committer | Fabio Bas <ctrlaltca@gmail.com> | 2015-01-13 18:03:29 +0100 |
commit | 1a6bb55ce57681d79cc040582f62b905dab170a8 (patch) | |
tree | 2b5a8a2f2b15533295365ee7bc9d47d85bf02101 /framework/Web/THttpSession.php | |
parent | d7a084b30771a8abbfb66856773def1b01b13a9e (diff) |
Added some doc; refs #541
Diffstat (limited to 'framework/Web/THttpSession.php')
-rw-r--r-- | framework/Web/THttpSession.php | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/framework/Web/THttpSession.php b/framework/Web/THttpSession.php index dd1cf854..6a2a3977 100644 --- a/framework/Web/THttpSession.php +++ b/framework/Web/THttpSession.php @@ -55,6 +55,14 @@ * GCProbability}, {@link getUseTransparentSessionID UseTransparentSessionID} * and {@link getTimeout TimeOut} are configurable properties of THttpSession. * + * To avoid the possibility of identity theft through some variants of XSS attacks, + * THttpSessionshould always be configured to enforce HttpOnly setting on session cookie. + * The HttpOnly setting is disabled by default. To enable it, configure the THttpSession + * module as follows, + * <code> + * <module id="session" class="THttpSession" Cookie.HttpOnly="true" > + * </code> + * * @author Qiang Xue <qiang.xue@gmail.com> * @package System.Web * @since 3.0 |