0036988: Adding a note to an issue results in error: APPLICATION ERROR #2800 - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0036988	mantisbt	authentication	public	2026-03-19 16:23	2026-04-18 10:33

Reporter	scooterchris	Assigned To	dregad
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	duplicate
Product Version	2.28.1

Summary	0036988: Adding a note to an issue results in error: APPLICATION ERROR #2800
Description	Regression in Mantis 2.28.0 (also 2.28.1) prevents edit actions such as Add Note, with error "APPLICATION ERROR #2800". Reverting to Mantis 2.27.3 allows Add Note to work correctly.
Steps To Reproduce	Regression introduced in Mantis 2.28.0, also duplicated in 2.28.1. Client: Windows 11 Pro 25H2 Google Chrome Version 146.0.7680.154 (Official Build) (64-bit) Server: Mantis 2.28.1 or 2.28.0 php-8.2.30 Apache httpd 2.4.62 mariadb-10.5.29 Red Hat Enterprise Linux release 9.7 (Plow) Selected /etc/php.ini configuration: session.gc_maxlifetime = 3600 session.name = __Secure-PHPSESSID session.use_only_cookies = 1 Selected Apache configuration settings from httpd.conf: Header set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options: nosniff Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Mantis config/config_inc.php: $g_form_security_validation = ON Login to Mantis using Google Chrome via HTTPS URL. View Issues. Open any issue. Scroll down to Add Note. Enter a few random words of note text, click Add Note. Time from loading the issue page to clicking Add Note is less than 1 minute, so not a session timeout. APPLICATION ERROR #2800 Invalid form security token. This could be caused by a session timeout, or accidentally submitting the form twice. Please use the "Back" button in your web browser to return to the previous page. There you can correct whatever problems were identified in this error or select another action. You can also click an option from the menu bar to go directly to a new section. Detailed error information Full path: /var/www/html/mantis/core/form_api.php Line number: 157 Stack trace # Filename Line Class Type Function Args 0 /var/www/html/mantis/core/form_api.php 157 - - trigger_error <string>'2800', <integer>256 1 /var/www/html/mantis/bugnote_add.php 44 - - form_security_validate <string>'bugnote_add' Clearing web browser cookies and cache did not resolve the error. I read Mantis docs "9.1.1. Error 2800 - Invalid form security token" and it did not resolve the issue. https://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.troubleshooting.errors.2800 Workarounds: 1) Rolling back to Mantis 2.27.3 resolves the issue, allowing the Add Note to add to an issue. 2) In config/config_inc.php, setting the following allows editing with Mantis 2.28.1 and 2.28.0: $g_form_security_validation = OFF
Tags	No tags attached.

dregad 2026-03-21 19:02 developer ~0070898	Thanks for the detailed report, but unfortunately I am not able to reproduce the problem, it works just fine both on my dev box and in this very tracker.

dregad 2026-03-31 03:16 developer ~0070923	scooterchris, You did not provide any feedback; I am therefore resolving this issue. Feel free to reopen it at a later time and provide the requested information.

scooterchris 2026-04-01 15:48 reporter ~0070932	I found the specific /etc/php.ini setting that triggers the bug. The following default setting allows adding a note without issue using the client and server configuration described above: session.name = PHPSESSID Changing the setting to the following prevents adding notes, with 2800 error shown. session.name = __Secure-PHPSESSID https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#Examples Some cookie names contain prefixes that impose specific restrictions on the cookie's attributes in supporting user-agents. All cookie prefixes start with a double-underscore (__) and end in a dash (-). The following prefixes are defined: Secure-: Cookies with names starting with Secure- must be set with the Secure attribute by a secure page (HTTPS).

dregad 2026-04-02 04:11 developer ~0070933	Thanks for the feedback. This problem as already been identified, see 0036819. Unfortunately at this time I'm not sure how it can be fixed. If you can help, contributions are welcome. I'm closing this as duplicate.