0033426: User not authenticated when following link from notification email - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0033426	mantisbt	authentication	public	2023-12-12 05:37	2024-02-20 16:58

Reporter	silambu	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.26.0
Target Version	2.26.1	Fixed in Version	2.26.1

Summary	0033426: User not authenticated when following link from notification email
Description	Hello , I have updated the mantis version to latest one 2.26.06.0 facing issue on, When I click the mantis link from any of the source (from email or chat of mantis link) it asks me to login? please find the screenshot for reference , I have clicked my mantis ticket link from email, generally it should open in new tab automatically , Here i need to click login or simply hitting the enter the session page was getting loaded and opening . Thank you
Tags	No tags attached.
Attached Files	image.png (31,593 bytes) image.png (31,593 bytes)

dregad 2023-12-12 08:03 developer ~0068401	Sounds like normal behavior caused by expired user session / login cookie. Just complete the login process.

atrol 2023-12-12 15:25 developer ~0068402	@dregad there is a changed behavior in 2.26.0. E. g. first login into https://www.mantisbt.org/bugs After that, click on the link in the email you got for this note. Your browser will open a new tab for that, but you will not be logged in in this tab. IIRC this was different in older versions.

tanidar 2023-12-13 02:48 reporter ~0068403	We also experiencing this problem. You can enter whatever you like in the login field or even just click login button with empty field.

dregad 2023-12-13 03:27 developer ~0068404 Last edited: 2023-12-18 03:40	Thanks for the pointer @atrol I performed some quite tedious testing and analysis using git bisect, and indeed I can confirm the problem now. It has been present for quite some time, but I never really noticed or paid attention to it. The offending commit is MantisBT master ea80bcfb see 0029611 Problem is the new setting for the Cookie SameSite attribute being set to Strict by default (used to be None), so the cookie is not sent for requests originating from a different domain.

dregad 2023-12-13 04:57 developer ~0068405 Last edited: 2023-12-13 05:43	@silambu @tanidar As a workaround for this behavior, you can set `$g_cookie_samesite = 'Lax';` in your config_inc.php. Please note that users may need to log out and log back in, to switch the string cookie's secure attribute to the new value. @atrol I initially set this new config to Strict for security purposes, the intention being to provide the strongest possible protection against CSRF attacks. I see now that this is detrimental to UX in a quite common usage scenario (click link from email), so maybe the default should be set to Lax instead. And of course improve the documentation in Admin Guide, to clearly describe the impact of each value on system behavior. What do you think ?

tanidar 2023-12-13 05:23 reporter ~0068406	@dregad thanks, that worked for us. We using Mantis with Trello as task management so that was very irritant issue.

atrol 2023-12-17 15:38 developer ~0068408	so maybe the default should be set to Lax instead. And of course improve the documentation in Admin Guide, to clearly describe the impact of each value on system behavior. @dregad seems to make sense to me

dregad 2023-12-18 03:40 developer ~0068409	Thanks for your feedback.

silambu 2023-12-19 02:08 reporter ~0068410	@dregad Thanks for the workaround, It's works for me :)

MantisBT: master 14e7eccb 2024-01-06 08:02 dregad Details Diff	Change $g_cookie_samesite default to 'Lax' The original value was 'Strict' for security purposes, the intention being to provide the strongest possible protection against CSRF attacks. Unfortunately, this actually prevents the user's session cookie from being recognized when clicking a link from a notification email, causing MantisBT to open an anonymous session even when the user is logged in. Changing the default value to 'Lax' fixes the issue. Fixes 0033426		Affected Issues 0033426
	mod - config_defaults_inc.php		Diff File
MantisBT: master-2.26 d6febe31 2024-01-06 08:02 dregad Details Diff	Change $g_cookie_samesite default to 'Lax' The original value was 'Strict' for security purposes, the intention being to provide the strongest possible protection against CSRF attacks. Unfortunately, this actually prevents the user's session cookie from being recognized when clicking a link from a notification email, causing MantisBT to open an anonymous session even when the user is logged in. Changing the default value to 'Lax' fixes the issue. Fixes 0033426 (cherry picked from commit 14e7eccb07abb8def19968da9118b7dc89996efa)		Affected Issues 0033426
	mod - config_defaults_inc.php		Diff File
MantisBT: master 9d9d4c21 2024-01-06 08:21 dregad Details Diff	Document effect of $g_cookie_samesite = 'Strict' Also explain that users with an active session cookie need to log out and back in if this setting is changed. Fixes 0033426		Affected Issues 0033426
	mod - config_defaults_inc.php		Diff File
	mod - docbook/Admin_Guide/en-US/config/cookies.xml		Diff File
MantisBT: master-2.26 59e96cea 2024-01-06 08:21 dregad Details Diff	Document effect of $g_cookie_samesite = 'Strict' Also explain that users with an active session cookie need to log out and back in if this setting is changed. Fixes 0033426 (cherry picked from commit 9d9d4c21395bba60002c1c0059862c936757b300)		Affected Issues 0033426
	mod - config_defaults_inc.php		Diff File
	mod - docbook/Admin_Guide/en-US/config/cookies.xml		Diff File