I just reproduced this again myself and can confirm that timeout wouldn't be an issue, I got the Email, clicked the link, quickly typed in the info and clicked Update User. I also made sure that I wasn't doing it twice.APPLICATION ERROR #2800
Invalid form security token. This could be caused by a session timeout, or accidentally submitting the form twice.
...
I found the below, which just suggests updating to the latest version, however our version is much newer than what was reported there.
https://mantisbt.org/forums/viewtopic.php?t=20595
The below link refers you to the admin manual.
https://mantisbt.org/bugs/view.php?id=14122
The admin manual refers to a PHP setting, gc_maxlifetime which it says defaults to 24 mins. That's way above the timeframe involved in my testing. As I said I'm clicking the link immediately when receiving it, spending a few seconds or so typing in the field values and then clicking Update User.
It also mentions the possibility of turning $g_form_security_validation off but then mentions that this would be a security risk.
I checked the related PHP settings. So it is the default of 24 mins which should be way higher than needed for what I experienced in my test.
Has anyone conquered this one?session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
VERSION INFO:
Apache 2.6.32
MySQL 5.6.39
PHP 5.6.36
MantisBT 2.17.1