Product SiteDocumentation Site

Chapter 9. Troubleshooting

9.1. Application Errors
9.1.1. Error 2800 - Invalid form security token
This chapter provides the Administrator with additional information related to Application Errors and common problems in MantisBT.
Useful additional reference information and support may also be found on the MantisBT website, more specifically the Forums and the Bugtracker.

9.1. Application Errors

Additional information about common MantisBT errors.

9.1.1. Error 2800 - Invalid form security token

This error may only occur when Form Validation is enabled with $g_form_security_validation = ON (see Section 5.4, “Webserver”). There are several known cases that could trigger it:
  • Multiple submissions of a form by clicking on the submit button several times (user error)
  • Invalid or unauthorized submission of a form, e.g. by hand-crafting the URL (CSRF attack)
  • Expired PHP session
In the first two instances, MantisBT's behavior is by design, and the response as expected. For expired sessions however, the user is impacted by system behavior, which could not only cause confusion, but also potential loss of submitted form data. What happens is driven by several php.ini configuration settings:
With PHP default values, sessions created more than 1440 seconds (24 minutes) ago have a 1% chance to be invalidated each time a new session is initialized. This explains the seemingly random occurrence of this error.
Unfortunately, this problem cannot be fixed without a major rework of the way sessions and form security are handled in MantisBT.
As a workaround, the Administrator can
  • Increase the value of session.gc_maxlifetime
  • Set $g_form_security_validation = OFF. Note that for security reasons, it is strongly recommended not to do this.
Users may also install local tools to avoid loss of form data, such as Typio Form Recovery Chrome extension, or Form History Control add-on for Firefox and Chrome.
Further references and reading: