Users can't login but get Invalid Key

Howdy C5 Brain trust, Here's a problem that for the life of me I can't figure out:

I, the super admin, can log into our C5 website no problem from any browser.
However my client who is at a different IP address can't log in no matter what browser they are trying.

Yet I can log in as them without any problems.

But when they try it they are unable and told (from the log):
"438 Invalid Key. Please visit the forgot password page again to have a new key generated."

I've checked the HTaccess file. there isn't any IP blocks on them nor are there any logged in the system. They are using windows IE and FF and Mac Mobile Safari yet they can't get in.

Is it something with their user profiles? Should I delete them and recreate them?

Anyone have a clue what is going on?

View Replies:
goodnightfirefly replied on at Permalink Reply
That message appears when using an expired 'reset your password' link, or if the user object wasn't able to be loaded.

So possibilities are:

Client is trying to log in by clicking an old 'reset your password' email link.

USER_CHANGE_PASSWORD_URL_LIFETIME has been defined in site.php as something very short, defaults to 7200 seconds (2 hours).

5.6.3 updated the user password hashing, though I'm not sure of the implications of that, possibly related if you updated.

The error might not appear if you are signing in as the user through the user admin page. Are you able to replicate the issue if you sign in at /login by using their username and password?
growlrooed replied on at Permalink Reply
I've tried to replicate their error but have been unable to. Each time I am able to log in successfully.

Even when the use the usualy log in :
they are unable to log in and still get an invalid key set back --even though they are using the correct username and password.

I was thinking maybe it was related to conflict in user group permissions? or maybe something on their local server is conflicting with the C5 settings? I'm baffled.
goodnightfirefly replied on at Permalink Reply
Changing their password for them should refresh the hash key, even if you just reuse the same password.

If that doesn't work, and after you've cleared the site cache, might have to recreate a user account for them as you mentioned.

Not sure what the cause is though unfortunately.
EvanCooper replied on at Permalink Reply
Yes, try changing their passwords and clearing cache and see if that helps at all.
growlrooed replied on at Permalink Reply
Ok all. Will give it a shot.
growlrooed replied on at Permalink Reply
This is too hilarious not to tell:

So after spending a day trying to figure out my client's conundrum of not being able to sign into their site, I followed the course of action that other suggested here. I emptied the site cache, then deleted and recreated the user.

I then mailed the client with directions on how to dump their browser's cache and to then log into the site's dashboard.

The client write's back: " ...I logged out and tried to log back in through the site, but was denied. But when I logged in to the link you sent, i got in."

Me: Wait... You were trying to log into CONCRETE5.ORG?????

Well that was one concrete5 question that was solved easily!
goodnightfirefly replied on at Permalink Reply
Oh man, I've had this happen before too so I understand the struggle of trying to debug it all.

Glad to hear it was sorted out!