From 8ece262d1c2ac4f42e04a35449da1136bedfb5fd Mon Sep 17 00:00:00 2001 From: Brook Elgie Date: Thu, 20 Nov 2014 08:41:19 +0000 Subject: [PATCH] [#1941] Warn against setting httponly to False --- doc/maintaining/configuration.rst | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/doc/maintaining/configuration.rst b/doc/maintaining/configuration.rst index 6278c1a8731..29e60bce7af 100644 --- a/doc/maintaining/configuration.rst +++ b/doc/maintaining/configuration.rst @@ -68,14 +68,12 @@ Repoze.who Settings who.httponly ^^^^^^^^^^^^ -Example:: - - who.httponly = False - Default value: True This determines whether the HttpOnly flag will be set on the repoze.who authorization cookie. The default in the absence of the setting is ``True``. +For enhanced security it is recommended to use the HttpOnly flag and not set +this to ``False``, unless you have a good reason for doing so. Database Settings