| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0036819 | mantisbt | authentication | public | 2026-01-07 19:56 | 2026-01-09 13:26 |
| Reporter | ThecaTTony | Assigned To | |||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | confirmed | Resolution | open | ||
| Platform | linux | OS | ubuntu | OS Version | 24.04 lts |
| Product Version | 2.28.0 | ||||
| Summary | 0036819: Secure cookies are rejected by the browser | ||||
| Description | After updating to version 2.28.0 and having the cookie prefix set to: $g_cookie_prefix = '__Host-BPMS'; The browser rejects cookies because they are not being served correctly by (I think) mantisbt. If I revert the update, changing the mantisbt link to the previous version in the web server directory, everything works correctly. | ||||
| Steps To Reproduce | Update to 2.28.0 with "__Host-SOMETHING" cookie prefix and try to login or (if already logged) try to change project. | ||||
| Additional Information | https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#cookie_prefixes Secure-: Cookies with names starting with Secure- must be set with the Secure attribute by a secure page (HTTPS). | ||||
| Tags | No tags attached. | ||||
 |
I forgot to mention that the cookies in the attached screenshot were set using version 2.27.3, while I was testing. I was unable to login with version 2.28.0, all I got was the message: "Your browser either does not know how to handle cookies, or refuses to handle them." |
 |
Hello @ThecaTTony, thanks for the report. I was not aware of this cookie prefix feature, learn something new everyday... Confirming the bug, as I was able to reproduce the problem. According to git bisect, the regression was introduced by MantisBT master 5393a566 as part of fix for 0035424. |
