diff options
Diffstat (limited to 'framework')
-rw-r--r-- | framework/Web/THttpSession.php | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/framework/Web/THttpSession.php b/framework/Web/THttpSession.php index dd1cf854..6a2a3977 100644 --- a/framework/Web/THttpSession.php +++ b/framework/Web/THttpSession.php @@ -55,6 +55,14 @@ * GCProbability}, {@link getUseTransparentSessionID UseTransparentSessionID} * and {@link getTimeout TimeOut} are configurable properties of THttpSession. * + * To avoid the possibility of identity theft through some variants of XSS attacks, + * THttpSessionshould always be configured to enforce HttpOnly setting on session cookie. + * The HttpOnly setting is disabled by default. To enable it, configure the THttpSession + * module as follows, + * <code> + * <module id="session" class="THttpSession" Cookie.HttpOnly="true" > + * </code> + * * @author Qiang Xue <qiang.xue@gmail.com> * @package System.Web * @since 3.0 |