From 86b5edc2d448cb9c8e90b76b77b21b09d69d8527 Mon Sep 17 00:00:00 2001
From: ivan <ivan>
Date: Sat, 21 Jan 2012 04:01:54 +0000
Subject: rt 3.8.11

---
 rt/etc/RT_Config.pm.in | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'rt/etc/RT_Config.pm.in')

diff --git a/rt/etc/RT_Config.pm.in b/rt/etc/RT_Config.pm.in
index 94eea5ade..aa43985c1 100644
--- a/rt/etc/RT_Config.pm.in
+++ b/rt/etc/RT_Config.pm.in
@@ -1261,6 +1261,19 @@ via SSL encrypted HTTP connections.
 
 Set($WebSecureCookies, 0);
 
+=item C<$WebHttpOnlyCookies>
+
+Default RT's session cookie to not being directly accessible to
+javascript.  The content is still sent during regular and AJAX requests,
+and other cookies are unaffected, but the session-id is less
+programmatically accessible to javascript.  Turning this off should only
+be necessary in situations with odd client-side authentication
+requirements.
+
+=cut
+
+Set($WebHttpOnlyCookies, 1);
+
 =item C<$WebFlushDbCacheEveryRequest>
 
 By default, RT clears its database cache after every page view.
-- 
cgit v1.2.1