X-Git-Url: http://git.freeside.biz/gitweb/?a=blobdiff_plain;f=rt%2Fetc%2FRT_Config.pm;fp=rt%2Fetc%2FRT_Config.pm;h=22fdff21893d0f0520dbcf0ab8cd8c32d7085812;hb=3e3a07a1f96d0e2f89cde0a33583c9b1276471f1;hp=b4ca44c961efceefdb138d315d1091ceb125f810;hpb=fb4ab1073f0d15d660c6cdc4e07afebf68ef3924;p=freeside.git

diff --git a/rt/etc/RT_Config.pm b/rt/etc/RT_Config.pm
index b4ca44c96..22fdff218 100644
--- a/rt/etc/RT_Config.pm
+++ b/rt/etc/RT_Config.pm
@@ -1261,6 +1261,19 @@ via SSL encrypted HTTP connections.
 
 Set($WebSecureCookies, 0);
 
+=item C<$WebHttpOnlyCookies>
+
+Default RT's session cookie to not being directly accessible to
+javascript.  The content is still sent during regular and AJAX requests,
+and other cookies are unaffected, but the session-id is less
+programmatically accessible to javascript.  Turning this off should only
+be necessary in situations with odd client-side authentication
+requirements.
+
+=cut
+
+Set($WebHttpOnlyCookies, 1);
+
 =item C<$WebFlushDbCacheEveryRequest>
 
 By default, RT clears its database cache after every page view.