Users can't login but get Invalid Key
I, the super admin, can log into our C5 website no problem from any browser.
However my client who is at a different IP address can't log in no matter what browser they are trying.
Yet I can log in as them without any problems.
But when they try it they are unable and told (from the log):
"438 Invalid Key. Please visit the forgot password page again to have a new key generated."
I've checked the HTaccess file. there isn't any IP blocks on them nor are there any logged in the system. They are using windows IE and FF and Mac Mobile Safari yet they can't get in.
Is it something with their user profiles? Should I delete them and recreate them?
Anyone have a clue what is going on?
So possibilities are:
Client is trying to log in by clicking an old 'reset your password' email link.
USER_CHANGE_PASSWORD_URL_LIFETIME has been defined in site.php as something very short, defaults to 7200 seconds (2 hours).
5.6.3 updated the user password hashing, though I'm not sure of the implications of that, possibly related if you updated.
The error might not appear if you are signing in as the user through the user admin page. Are you able to replicate the issue if you sign in at /login by using their username and password?
I've tried to replicate their error but have been unable to. Each time I am able to log in successfully.
Even when the use the usualy log in : http://mysiteexample.com/index.php/dashboard/...
they are unable to log in and still get an invalid key set back --even though they are using the correct username and password.
I was thinking maybe it was related to conflict in user group permissions? or maybe something on their local server is conflicting with the C5 settings? I'm baffled.
If that doesn't work, and after you've cleared the site cache, might have to recreate a user account for them as you mentioned.
Not sure what the cause is though unfortunately.
So after spending a day trying to figure out my client's conundrum of not being able to sign into their site, I followed the course of action that other suggested here. I emptied the site cache, then deleted and recreated the user.
I then mailed the client with directions on how to dump their browser's cache and to then log into the site's dashboard.
The client write's back: " ...I logged out and tried to log back in through the concrete5.org site, but was denied. But when I logged in to the link you sent, i got in."
Me: Wait... You were trying to log into CONCRETE5.ORG?????
Well that was one concrete5 question that was solved easily!
Glad to hear it was sorted out!