what's probably happening is that mantis is logging you out after some time specified by your admin. So when you try to add a note it throws back an error saying your security token was invalid, which is just a fancy way of saying your login timed out. And like you said, if you refreshed the screen it grabs a new security token and you can enter in notes.

Since you aren't specifically re-entering your login credentials, i'm assuming you are using the "Remember my IP address" or whatnot feature when you log in. So knowing those two things i'd agree with you that this is a bug. In the sense that it should at least try to grab a new security token if it can before erroring out.

Thanks for the reply. You are right, I've enabled the "Secure Session (Only allow your session to be used from this IP address)" when logined to Mantis. But where can I reset the time out variable?

Form security tokens are stored in PHP sessions and thus are subject to PHP's settings relating to session expiry times. MantisBT itself has something like a 3 day expiry for form security tokens (the idea being that you may leave screens open on Friday and return on Monday to finish up your work).

Please see http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime

This is happening in 1.2. I was entering bugs and did one bug report, then followed with another, and got the application error 2800 message. This was an active session, definitely not timed-out.

It could be a php-related problem. Version 1.1.8 had this in it, and version 1.2 also demonstrates the same behavior.

As a note, in other PHP applications, I noticed that sometimes after using my session, the session just dies without any apparent cause. So this is more and more looking like a PHP problem and not really a mantis problem.