Opened 15 years ago
Last modified 13 years ago
#1351 closed defect
CreateSession can generate invalid session ids — at Initial Version
| Reported by: | jng | Owned by: | |
|---|---|---|---|
| Priority: | low | Milestone: | 2.4 |
| Component: | Map Agent | Version: | 2.2.0 |
| Severity: | trivial | Keywords: | |
| Cc: | External ID: |
Description
The recent security patches for the AJAX viewer imposed the following pattern restriction on MapGuide session ids:
00000000-0000-0000-0000-000000000000_aa_00000000000000000000
The "aa" component is the locale when the CREATESESSION mapagent call is made. However if a custom LOCALE parameter is passed which is not 2 characters (eg. en-US), then that is actually incorporated into the generated session id itself, making it unusable when it is passed to the AJAX viewer.
Attached is a modified mapagent form for the CREATESESSION operation.
Steps to reproduce:
- Load the modified form
- Specify a LOCALE greater than 2 characters (eg. en-US)
- Invoke the CREATESESSION operation
- Open any WebLayout using this generated session id
- You will get a http authentication prompt because the generated id fails the pattern check.
The LOCALE parameter should either be rejected or validated to ensure it is 2 characters wide.
Note:
See TracTickets
for help on using tickets.
Modified CREATESESSION form