Invalid Login with right credentials


some users are unable to log in and get a “invalid login” alert.
The entered password and username are definitely right.
Admin(default blueprint) seem not to be affected only the users with the role Mitarbeiter.

about the setup:
Version: 3.8.4
Apache 2.4

I have setup a internal Homepage for our employees.
The site is only accessible when logged in.
The regular employees are only allowed to view the frontend and edit their password (conifgured in user blueprint):

title: Mitarbeiter
settings: false
system: false
users: false
site: false
languages: false
*: false
changePassword: true

There are about 15 users at the moment. Most of the user log in from 2 pcs.
The password is hashed in the .htpasswd file.

What i have done so far:

  • reset passwords
  • deleted cookies in browser
  • deleted the sessions
  • deleted all accounts, rerun install and added in the users
  • did the update to 3.8.4 from 3.8.1

When I change the role of a user that us unable to login to admin he is able to log in.

I have no clue where to look next.

Does this happen just sometimes or can’t they log in at all?

after some time (mulitple hours) they get the error message and then they aren’t able to login. No one was able to log in again after the error. but not all are affected at the same time.
Only when i change their role to admin, they are able to log in again, but when I change them back to “Mitarbeiter” they are again locked out.
I hope this makes sense to you.

And it doesn’t help if they clear the browser cache? Can you reproduce it locally?

And what about installed plugins?

No it does not help to clear the cache.
Yes I can reproduce it.
I have one plugin, in wich I store three small site wide functions. For example for converting decimal hours in h:min, no role specific functions.
Wouldn’t plugins affect all users?

Is there a way to check what is causing it to be invalid.
Like Kirby thinks the username is incorrect or something like that.

Is this reproducible in a fresh Starterkit?

I haven’t tried that.
I will setup a test server and try it out.

also happened to me right now, 403 response showing “invalid login” in the panel with correct credentials. Seems to have gone away now after waiting for some time?

Happened in different browsers, also incognito mode, so shouldn’t not be a cache issue.

Is there some kind of blocking when you’re switching accounts a lot?

I wasn’t able to recreate the issue on my test-setup.
But the issue didn’t come up on the live system anymore.
Unfortunately I didn’t find the cause.