View Issue Details

IDProjectCategoryView StatusLast Update
0028385mantisbtrsspublic2021-04-29 12:13
Reporterantoinec Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Product Version2.25.0 
Summary0028385: The RSS url is functionnal a short time
Description

Hello,

When I copy the RSS url and paste the url in my RSS reader, it's work.

But the next day (maybe before), my RSS reader says the RSS is not available.
So I copy again the url and paste ... it's work again.

Is there a timeout or duration for the RSS link ?

Have a nice day

Additional Information

Mantis BT 2.25.0
DB MSSQL

TagsNo tags attached.

Relationships

related to 0027976 closeddregad CVE-2009-20001: User cookie string is not reset upon logout 

Activities

antoinec

antoinec

2021-04-29 07:52

reporter  

Exemple.jpg (23,366 bytes)   
Exemple.jpg (23,366 bytes)   
dregad

dregad

2021-04-29 11:53

developer   ~0065455

The RSS key is a hash calculated based on username, password and session cookie string.

So, if one of these elements changes (which could for example happen because you logged out, causing your session cookie to change, or using a "non-permanent" session by not checking the Remember my login in this browser box at login time) then the RSS link is no longer able to log you in automatically and gives you a login page. And even if you login successfully, still the key is no longer valid.

I didn't test, but this could be a consequence of 0027976. Was it working before 2.24.5 ?

antoinec

antoinec

2021-04-29 11:59

reporter   ~0065456

Yes, when i was in 2.24.4, It was working.

dregad

dregad

2021-04-29 12:13

developer   ~0065457

I don't have an immediate solution, unless you stay logged in.

Since the invalidation of the session cookie was implemented to fix a security issue, this can't be reverted.

Alternatively, if your Mantis allows anonymous login you can try to use URL http://path.to/mantis/issue_rss.php (without the username / key parameters) to get a feed for the anonymous user, but that may not give you the same results as your personal, identified session (private issues / projects).