Page 1 of 1

2702 warning on line 227

Posted: 30 Nov 2016, 14:05
by ajtruckle72
I am using the latest beta of Mantis. One of my users has a problem on their PC. IPad is fine. The issue is a specific topic id.

The error is as displayed as shown in the attached image:
MAntis issue 599 error.png
MAntis issue 599 error.png (47.29 KiB) Viewed 6489 times
Appreciate any guidance.

Topic is OK for me.

Thanks.

Re: 2702 warning on line 227

Posted: 01 Dec 2016, 07:46
by atrol
I am not able to reproduce the issue using the provided information.
The warning is triggered if the IP address of the session has changed.

Re: 2702 warning on line 227

Posted: 25 Mar 2020, 23:59
by Starbuck
I just got this same error on a different v2.x version.
Apparently this issue has been present since v1.2.
https://mantisbt.org/bugs/view.php?id=19820
https://mantisbt.org/bugs/view.php?id=20273

The problem is not with a specific OS, PHP version, Mantis BT version, or any other such detail.
The problem is either:

1) The simple check for the client IP address is inadequate for determining session state. There are some legitimate reasons why an IP address can change. A LAN with DHCP can reset and reassign IP addresses to network PCs. A developer can login to Mantis to check tickets, and then connect to a VPN to work on a project. A user with two PCs can login to Mantis on both.

Frankly, while I believe those real-world conditions are legitimate, as a technician I think it's understandable that any software, including Mantis, would and should invalidate a session when it discovers that an IP address has changed. The scenario smells of a hijack, and I appreciate that a check exists to protect us against "man in the middle" attacks.

But that then leads to ...

2) We can understand that the scenario happens. We have verification that it does. So I think the real problem is that Mantis doesn't gracefully handle the scenario. An mysterious error is reported and the page resets. That's not elegant. It would be much better if the user is informed of the exact condition, with a button for confirmation, followed by a logoff of the session. Force the user to re-login with the current IP rather than forcing them to clear cache or guess at the problem and solution.

That would be my suggestion for an enhancement. I don't see this as a bug.