This error may only occur when Form Validation is enabled with $g_form_security_validation = ON (see
Section 5.4, “Webserver”). There are several known cases that could trigger it:
Multiple submissions of a form by clicking on the submit button several times (user error)
Invalid or unauthorized submission of a form, e.g. by hand-crafting the URL (CSRF attack)
Expired PHP session
In the first two instances, MantisBT's behavior is by design, and the response as expected. For expired sessions however, the user is impacted by system behavior, which could not only cause confusion, but also potential loss of submitted form data. What happens is driven by several php.ini configuration settings:
With PHP default values, sessions created more than 1440 seconds (24 minutes) ago have a 1% chance to be invalidated each time a new session is initialized. This explains the seemingly random occurrence of this error.
Unfortunately, this problem cannot be fixed without a major rework of the way sessions and form security are handled in MantisBT.
As a workaround, the Administrator can
Users may also install local tools to avoid loss of form data, such as
Typio Form Recovery Chrome extension, or
Form History Control add-on for Firefox and Chrome.