From 1a6bb55ce57681d79cc040582f62b905dab170a8 Mon Sep 17 00:00:00 2001 From: Fabio Bas Date: Tue, 13 Jan 2015 18:03:29 +0100 Subject: Added some doc; refs #541 --- demos/quickstart/protected/pages/Advanced/Security.page | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'demos/quickstart/protected') diff --git a/demos/quickstart/protected/pages/Advanced/Security.page b/demos/quickstart/protected/pages/Advanced/Security.page index 226d7e49..0994a980 100755 --- a/demos/quickstart/protected/pages/Advanced/Security.page +++ b/demos/quickstart/protected/pages/Advanced/Security.page @@ -86,4 +86,13 @@ $cookie=new THttpCookie($name,$value); $this->Response->Cookies[]=$cookie; +

+To avoid the possibility of identity theft through some variants of XSS attacks, THttpSession should always be configured to enforce HttpOnly setting on session cookie. +The HttpOnly setting is disabled by default. To enable it, configure the THttpSession module as follows, +

+ + + + + -- cgit v1.2.3