0009692: Application error #2800 when resetting password - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0009692	mantisbt	signup	public	2008-10-14 13:56	2009-06-26 12:01

Reporter	jbert	Assigned To	jreese
Priority	normal	Severity	crash	Reproducibility	always
Status	closed	Resolution	no change required
Product Version	1.2.0a2

Summary	0009692: Application error #2800 when resetting password
Description	This error bit me when I tried to sign up and attempted to complete the process. I got through initial sign up, until I got a mail asking me to visit an URL to set my own access password (in the form of http://www.mantisbt.org/bugs/verify.php?id=xxx&confirm_hash=xxxxxxxx...xxx). When I entered my password and clicked "Update user", I got to an error screen saying "Application error #2800" and "Invalid form security token. Did you submit the form twice by accident?". Going to the login screen, requesting a new password and browsing to the supplied link yielded the same effect. Seeing how I could not change my password, I could not login (explaining the "crash" severity).
Steps To Reproduce	(Note: this may or may not work for a working user account.) -Request a new password -Follow a password reset URL from your mail. -Enter your new password -Click Submit / "Update user".
Additional Information	As a workaround, it seems you CAN manage to update your password, albeit it is far from intuitive: -Go to the received URL -Notice you are logged in with your user account. -Click "My Account" at the top. -Enter your password -Submit. This time, submitting works as long as your session is not invalidated. The reason the above works is probably because the mailed URL's take you to a form which does not set form security tokens, whereas the "My account" page does.
Tags	No tags attached.

jreese 2008-10-14 14:30 reporter ~0019559	This is already fixed in SVN trunk, r5659.

jbert 2008-10-14 15:05 reporter ~0019562	Ok, seems the official instance wasn't updated up to that point then.

olegos 2008-10-17 17:32 reporter ~0019584	Is this fixed in 1.1.x branch? Because it's happening in 1.1.3.

jreese 2008-10-20 11:25 reporter ~0019602	This was just recently fixed in 1.1.x branch. See issue 0009713 for details.

claudiu_cristea 2008-10-23 05:26 reporter ~0019642	I simply added the r5659 modifications in verify.php (in fact a session_init() call) and I still got those errors on an account in my system. What else can be? I'm using M 1.1.2

claudiu_cristea 2008-10-23 06:05 reporter ~0019646	I also applied r5700, r5701, r5702, r5703 as stated in 0009713... Same behavior!

mad93 2008-10-23 22:07 reporter ~0019668	I've also applied the patchs and the session error is not showed, but I continue getting the 2800 error when setting the password for a new user.