[#1941] Warn against setting httponly to False

ckan · Nov 20, 2014 · 8ece262 · 8ece262
1 parent 150f452
commit 8ece262
Showing 1 changed file with 2 additions and 4 deletions.
diff --git a/doc/maintaining/configuration.rst b/doc/maintaining/configuration.rst
@@ -68,14 +68,12 @@ Repoze.who Settings
 who.httponly
 ^^^^^^^^^^^^
 
-Example::
-
- who.httponly = False
-
 Default value: True
 
 This determines whether the HttpOnly flag will be set on the repoze.who
 authorization cookie. The default in the absence of the setting is ``True``.
+For enhanced security it is recommended to use the HttpOnly flag and not set
+this to ``False``, unless you have a good reason for doing so.
 
 
 Database Settings