From 1a6bb55ce57681d79cc040582f62b905dab170a8 Mon Sep 17 00:00:00 2001
From: Fabio Bas <ctrlaltca@gmail.com>
Date: Tue, 13 Jan 2015 18:03:29 +0100
Subject: Added some doc; refs #541

---
 framework/Web/THttpSession.php | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'framework')

diff --git a/framework/Web/THttpSession.php b/framework/Web/THttpSession.php
index dd1cf854..6a2a3977 100644
--- a/framework/Web/THttpSession.php
+++ b/framework/Web/THttpSession.php
@@ -55,6 +55,14 @@
  * GCProbability}, {@link getUseTransparentSessionID UseTransparentSessionID}
  * and {@link getTimeout TimeOut} are configurable properties of THttpSession.
  *
+ * To avoid the possibility of identity theft through some variants of XSS attacks,
+ * THttpSessionshould always be configured to enforce HttpOnly setting on session cookie.
+ * The HttpOnly setting is disabled by default. To enable it, configure the THttpSession
+ * module as follows,
+ * <code>
+ * <module id="session" class="THttpSession" Cookie.HttpOnly="true" >
+ * </code>
+ *
  * @author Qiang Xue <qiang.xue@gmail.com>
  * @package System.Web
  * @since 3.0
-- 
cgit v1.2.3