Opened 9 years ago

Closed 7 years ago

#1351 closed defect (fixed)

CreateSession can generate invalid session ids

Reported by: jng Owned by: jng
Priority: low Milestone: 2.4
Component: Map Agent Version: 2.2.0
Severity: trivial Keywords:
Cc: External ID:

Description (last modified by jng)

The recent security patches for the AJAX viewer imposed the following pattern restriction on MapGuide session ids:


The "aa" component is the locale when the CREATESESSION mapagent call is made. However if a custom LOCALE parameter is passed which is not 2 characters (eg. en-US), then that is actually incorporated into the generated session id itself, making it unusable when it is passed to the AJAX viewer.

Attached is a modified mapagent form for the CREATESESSION operation.

Steps to reproduce:

  1. Load the modified form
  2. Specify a LOCALE greater than 2 characters (eg. en-US)
  3. Invoke the CREATESESSION operation
  4. Open any WebLayout? using this generated session id
  5. You will get a http authentication prompt because the generated id fails the pattern check.

The LOCALE parameter should either be rejected or validated to ensure it is 2 characters wide.

Attachments (1)

createsessionform.html (642 bytes) - added by jng 9 years ago.

Download all attachments as: .zip

Change History (7)

Changed 9 years ago by jng

Attachment: createsessionform.html added


comment:1 Changed 9 years ago by jng

Description: modified (diff)

comment:2 Changed 9 years ago by tomfukushima

Owner: set to chrisclaydon

comment:3 Changed 8 years ago by tomfukushima

Owner: changed from chrisclaydon to liuar

Reassign to Arthur.

comment:4 Changed 7 years ago by jng

Owner: changed from liuar to jng

The problem is in MgUserInformation::CreateMgSessionId?()

It does not check the length of the locale property.

comment:5 Changed 7 years ago by jng

Milestone: 2.4

comment:6 Changed 7 years ago by jng

Resolution: fixed
Status: newclosed

Fixed in trunk (r6667) and 2.4 (r6666)

Note: See TracTickets for help on using tickets.