From 1a6bb55ce57681d79cc040582f62b905dab170a8 Mon Sep 17 00:00:00 2001 From: Fabio Bas Date: Tue, 13 Jan 2015 18:03:29 +0100 Subject: Added some doc; refs #541 --- demos/quickstart/protected/pages/Advanced/Security.page | 9 +++++++++ framework/Web/THttpSession.php | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/demos/quickstart/protected/pages/Advanced/Security.page b/demos/quickstart/protected/pages/Advanced/Security.page index 226d7e49..0994a980 100755 --- a/demos/quickstart/protected/pages/Advanced/Security.page +++ b/demos/quickstart/protected/pages/Advanced/Security.page @@ -86,4 +86,13 @@ $cookie=new THttpCookie($name,$value); $this->Response->Cookies[]=$cookie; +

+To avoid the possibility of identity theft through some variants of XSS attacks, THttpSession should always be configured to enforce HttpOnly setting on session cookie. +The HttpOnly setting is disabled by default. To enable it, configure the THttpSession module as follows, +

+ + + + + diff --git a/framework/Web/THttpSession.php b/framework/Web/THttpSession.php index dd1cf854..6a2a3977 100644 --- a/framework/Web/THttpSession.php +++ b/framework/Web/THttpSession.php @@ -55,6 +55,14 @@ * GCProbability}, {@link getUseTransparentSessionID UseTransparentSessionID} * and {@link getTimeout TimeOut} are configurable properties of THttpSession. * + * To avoid the possibility of identity theft through some variants of XSS attacks, + * THttpSessionshould always be configured to enforce HttpOnly setting on session cookie. + * The HttpOnly setting is disabled by default. To enable it, configure the THttpSession + * module as follows, + * + * + * + * * @author Qiang Xue * @package System.Web * @since 3.0 -- cgit v1.2.3