View Issue Details

IDProjectCategoryView StatusLast Update
0000563WackoWikiauthenticationpublic2024-02-16 07:29
Reporteradministrator Assigned Toadministrator  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version6.1.x 
Target Version6.1.xFixed in Version6.1.x 
Summary0000563: Change $cf_cookie_samesite default to 'Lax'
DescriptionThe original value was 'Strict' for security purposes, the intention
being to provide the strongest possible protection against CSRF attacks.

Unfortunately, this actually prevents the user's session cookie from
being recognized when clicking a link from a notification email, causing
MantisBT to open an anonymous session even when the user is logged in.

Changing the default value to 'Lax' fixes the issue.
Additional Informationhttps://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
TagsNo tags attached.

Relationships

related to 0000562 confirmed page call not detecting authenticated session 

Issue History

Date Modified Username Field Change
2024-02-16 07:25 administrator New Issue
2024-02-16 07:25 administrator Status new => assigned
2024-02-16 07:25 administrator Assigned To => administrator
2024-02-16 07:26 administrator Relationship added related to 0000562
2024-02-16 07:29 administrator Status assigned => resolved
2024-02-16 07:29 administrator Resolution open => fixed
2024-02-16 07:29 administrator Fixed in Version => 6.1.x
2024-02-16 07:29 administrator Note Added: 0001102