View Issue Details

IDProjectCategoryView StatusLast Update
0012381mantisbtsub-projectspublic2012-11-01 07:45
Reporterandrejusc Assigned Todregad  
Status closedResolutionno change required 
PlatformWindows XP SP3 
Product Version1.2.3 
Summary0012381: APPLICATION ERROR #2800

While I try to Manage Projects and Add Category - I get this error:

Invalid form security token. Did you submit the form twice by accident?

I have this in my php.ini file:

But that doesn't help.

What should I do?

TagsNo tags attached.


duplicate of 0011680 closeddhx Mantis APPLICATION ERROR #2800 for Mantis 1.2.0 
has duplicate 0013082 closeddregad Application 2800 Error When Reporting Issues 
has duplicate 0014891 closeddregad Problem with large notes, the session expirated? 
related to 0013106 closeddregad A lot of "APPLICATION ERROR #2800" when adding bug 
related to 0013246 closeddregad APPLICATION ERROR #2800 when submitting notes 
related to 0012871 closeddregad Unable to request password reset - ERROR 2800 




2010-09-22 02:13

reporter   ~0026835

Same error with Firefox 3.6.10

Remember my login in this browser: unchecked
Secure Session: checked

Any other place to look at?



2010-09-27 15:19

reporter   ~0026875

There are multiple possible problems relating to proxy servers. Either you are using a proxy server with multiple exit nodes which invalidates the user session, or your proxy server is incorrectly caching form pages, including the unique CSRF tokens. If either of those are the issue, and you cannot solve the root problem, then you can disable form security tokens via the configuration option $g_form_security_validaton = OFF;



2010-10-18 14:52

reporter   ~0027069

We were having this problem and the change fixed it. We would like to put the change back, due to the security risk. However, the only PC that had this problem was one using IE8. Firefox, Chrome, and older IE versions seemed fine. NOTE: It was also fixed by doing a refresh (CTRL-Refresh or SHIFT-Refresh) on IE8 before entering form data.



2010-10-18 15:01

reporter   ~0027070

Yes, your suggestion with $g_form_security_validaton = OFF; helped in my situation. While I don't have a lot of hackers going to my site - probably that could work for now.



2011-07-18 07:21

reporter   ~0029187

Last edited: 2011-07-18 07:27

I am seeing the same behavior as in 0012381:0027069. But it also occurs on IE8 in compatibility code.

What are the risks of $g_form_security_validaton = OFF; ?



2011-07-18 07:37

reporter   ~0029188

It's very risky disabling CSRF protection. See for details on how it works.



2011-07-18 08:14

reporter   ~0029189

I can understand that, but then my question is if this issue is already recognized and if there is a solution. Because niw we have to made the trade-off between security ( which was not present in older versions ) and usability for the users.

Strange thing is that it seems browser-related ( IE ).

I notice a lot of comments on the this bugtracker, the MantisBT forum and on the internet regarding this issue for quit some time, but do not find a solution.

Is anyone able to help?



2012-10-16 09:17

developer   ~0033228

Unassigned from jreese as he is no longer actively developing.



2012-10-19 05:28

developer   ~0033276

With error 2800, the problem is most likely caused by php session settings.

As pages tends to remain open for a while before user eventually decides to type something, by the time they click the submit button the session has expired. If the garbage collector has removed the session data when the form is submitted, then the http form's security token (CSRF protection) is no longer valid.

Recommendation is to increase session.gc_maxlifetime as appropriate (in the office I have it set to 8 hrs, so it's valid for a normal work day).