id summary reporter owner description type status priority milestone component version severity resolution keywords cc external_id 1351 CreateSession can generate invalid session ids jng jng "The recent security patches for the AJAX viewer imposed the following pattern restriction on MapGuide session ids: 00000000-0000-0000-0000-000000000000_aa_00000000000000000000 The ""aa"" component is the locale when the CREATESESSION mapagent call is made. However if a custom LOCALE parameter is passed which is not 2 characters (eg. en-US), then that is actually incorporated into the generated session id itself, making it unusable when it is passed to the AJAX viewer. Attached is a modified mapagent form for the CREATESESSION operation. Steps to reproduce: 1. Load the modified form 2. Specify a LOCALE greater than 2 characters (eg. en-US) 3. Invoke the CREATESESSION operation 4. Open any WebLayout using this generated session id 5. You will get a http authentication prompt because the generated id fails the pattern check. The LOCALE parameter should either be rejected or validated to ensure it is 2 characters wide." defect closed low 2.4 Map Agent 2.2.0 trivial fixed