View Issue Details

IDProjectCategoryView StatusLast Update
0012381mantisbtsub-projectspublic2012-11-01 07:45
ReporterandrejuscAssigned Todregad 
PriorityurgentSeverityblockReproducibilityrandom
Status closedResolutionno change required 
PlatformWindows XP SP3OSOS Version
Product Version1.2.3 
Target VersionFixed in Version 
Summary0012381: APPLICATION ERROR #2800
Description

Hi,
While I try to Manage Projects and Add Category - I get this error:

APPLICATION ERROR #2800
Invalid form security token. Did you submit the form twice by accident?

I have this in my php.ini file:
session.gc_maxlifetime=14400

But that doesn't help.

What should I do?

TagsNo tags attached.

Relationships

duplicate of 0011680 closeddhx Mantis APPLICATION ERROR #2800 for Mantis 1.2.0 
has duplicate 0013082 closeddregad Application 2800 Error When Reporting Issues 
has duplicate 0014891 closeddregad Problem with large notes, the session expirated? 
related to 0013106 closeddregad A lot of "APPLICATION ERROR #2800" when adding bug 
related to 0013246 closeddregad APPLICATION ERROR #2800 when submitting notes 
related to 0012871 closeddregad Unable to request password reset - ERROR 2800 

Activities

andrejusc

andrejusc

2010-09-22 02:13

reporter   ~0026835

Same error with Firefox 3.6.10

Remember my login in this browser: unchecked
Secure Session: checked

Any other place to look at?

jreese

jreese

2010-09-27 15:19

reporter   ~0026875

There are multiple possible problems relating to proxy servers. Either you are using a proxy server with multiple exit nodes which invalidates the user session, or your proxy server is incorrectly caching form pages, including the unique CSRF tokens. If either of those are the issue, and you cannot solve the root problem, then you can disable form security tokens via the configuration option $g_form_security_validaton = OFF;

spoulsen

spoulsen

2010-10-18 14:52

reporter   ~0027069

We were having this problem and the change fixed it. We would like to put the change back, due to the security risk. However, the only PC that had this problem was one using IE8. Firefox, Chrome, and older IE versions seemed fine. NOTE: It was also fixed by doing a refresh (CTRL-Refresh or SHIFT-Refresh) on IE8 before entering form data.

andrejusc

andrejusc

2010-10-18 15:01

reporter   ~0027070

Yes, your suggestion with $g_form_security_validaton = OFF; helped in my situation. While I don't have a lot of hackers going to my site - probably that could work for now.

TomR

TomR

2011-07-18 07:21

reporter   ~0029187

Last edited: 2011-07-18 07:27

View 2 revisions

I am seeing the same behavior as in 0012381:0027069. But it also occurs on IE8 in compatibility code.

What are the risks of $g_form_security_validaton = OFF; ?

dhx

dhx

2011-07-18 07:37

reporter   ~0029188

It's very risky disabling CSRF protection. See http://en.wikipedia.org/wiki/Cross-site_request_forgery for details on how it works.

TomR

TomR

2011-07-18 08:14

reporter   ~0029189

I can understand that, but then my question is if this issue is already recognized and if there is a solution. Because niw we have to made the trade-off between security ( which was not present in older versions ) and usability for the users.

Strange thing is that it seems browser-related ( IE ).

I notice a lot of comments on the this bugtracker, the MantisBT forum and on the internet regarding this issue for quit some time, but do not find a solution.

Is anyone able to help?

dregad

dregad

2012-10-16 09:17

developer   ~0033228

Unassigned from jreese as he is no longer actively developing.

dregad

dregad

2012-10-19 05:28

developer   ~0033276

With error 2800, the problem is most likely caused by php session settings.

As pages tends to remain open for a while before user eventually decides to type something, by the time they click the submit button the session has expired. If the garbage collector has removed the session data when the form is submitted, then the http form's security token (CSRF protection) is no longer valid.

Recommendation is to increase session.gc_maxlifetime as appropriate (in the office I have it set to 8 hrs, so it's valid for a normal work day).

Issue History

Date Modified Username Field Change
2010-09-21 05:52 andrejusc New Issue
2010-09-22 02:13 andrejusc Note Added: 0026835
2010-09-27 15:19 jreese Note Added: 0026875
2010-09-27 15:19 jreese Assigned To => jreese
2010-09-27 15:19 jreese Status new => feedback
2010-10-18 14:52 spoulsen Note Added: 0027069
2010-10-18 15:01 andrejusc Note Added: 0027070
2010-10-18 15:01 andrejusc Status feedback => assigned
2011-06-15 02:10 atrol Relationship added related to 0013082
2011-07-18 07:21 TomR Note Added: 0029187
2011-07-18 07:27 TomR Note Edited: 0029187 View Revisions
2011-07-18 07:37 dhx Note Added: 0029188
2011-07-18 08:14 TomR Note Added: 0029189
2012-10-16 09:03 dregad Status assigned => confirmed
2012-10-16 09:04 dregad Assigned To jreese =>
2012-10-16 09:17 dregad Note Added: 0033228
2012-10-19 05:12 dregad Relationship replaced has duplicate 0013082
2012-10-19 05:12 dregad Relationship added related to 0013106
2012-10-19 05:21 dregad Relationship added related to 0013246
2012-10-19 05:21 dregad Relationship added related to 0012871
2012-10-19 05:28 dregad Note Added: 0033276
2012-10-19 05:28 dregad Status confirmed => resolved
2012-10-19 05:28 dregad Resolution open => no change required
2012-10-19 05:28 dregad Assigned To => dregad
2012-10-19 05:37 dregad Relationship added duplicate of 0011680
2012-10-31 07:35 dregad Relationship added has duplicate 0014891
2012-11-01 07:45 atrol Status resolved => closed