View Issue Details

IDProjectCategoryView StatusLast Update
0029611mantisbtbugtrackerpublic2023-10-31 16:32
Reporterdregad Assigned Todregad  
Status closedResolutionfixed 
Target Version2.26.0Fixed in Version2.26.0 
Summary0029611: Cookies "SameSite" attribute triggers warnings in Firefox console

Examples of warnings:

Some cookies are misusing the recommended “SameSite“ attribute

Multiple occurrences of the following message, on several pages (view.php, plugin.php, javascript_config, etc):

Cookie “MANTIS_collapse_settings” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read common.js:700:76

This message may have another root cause.

Cookie “MANTIS_collapse_settings” has been rejected because it is already expired. view.php

Steps To Reproduce
  1. Login
  2. Go to View Issues page
  3. Collapse/Expand one of the sections (e.g. _Relationships)
  4. Reload the page

Warnings are shown in the browser's console.

TagsNo tags attached.


related to 0029616 closeddregad collapse_settings cookie is hardcoded 




2022-02-17 16:07

developer   ~0066252

It seems that the warning

Cookie “MANTIS_collapse_settings” has been rejected because it is already expired.

is caused by a bug in Firefox.



2022-02-17 16:45

developer   ~0066254


Related Changesets

MantisBT: master 9090c6c3

2022-02-17 04:40


Details Diff
New config 'cookie_samesite'

Specifies the SameSite attribute for MantisBT cookies.

Issue 0029611
Affected Issues
mod - config_defaults_inc.php Diff File
mod - docbook/Admin_Guide/en-US/config/cookies.xml Diff File

MantisBT: master ea80bcfb

2022-02-17 04:45


Details Diff
Specify the SameSite attribute when setting cookies

This fixes the warnings caused by the SameSite attribute defaulting to
None that were displayed in the browser's console until now.

Changes in gpc_api.php:
- gpc_set_cookie() has a new $p_samesite parameter, defaulting to null,
meaning the value of $g_cookie_samesite config will be used.
- gpc_clear_cookie() also gets $p_samesite parameter, and sets the
cookie's value to 1 instead of '', to avoid console warnings
"Cookie XXX has been rejected because it is already expired".

Changes in common.js / javascript_config.php (fixing the
MANTIS_collapse_settings cookie):
- Expose configs cookie_samesite, cookie_path and cookie_domain
- Set the SameSite attribute, domain and path when setting the cookie

Changes in session_api.php:
- fixing the SameSite warnings for the PHP session cookie (PHPSESSID).

Note: in PHP < 7.3.0, the setcookie() function does not allow specifying
the SameSite attribute. To work around this limitation, the this commit
implements a hack relying on PHP bug 69948 [1].

Fixes 0029611

Affected Issues
mod - core/gpc_api.php Diff File
mod - core/session_api.php Diff File
mod - javascript_config.php Diff File
mod - js/common.js Diff File