(Click to enlarge)

You'll need to provide a link to see the error on, or extract error details from that popup error or the error log. There's no error messages or anything in this report to investigate currently. Both items of functionality normally work, I just double checked.

Actually I dug out what site yours is, sorry I forget who owns what sites even when I've helped look into things before. I'll try some resets on your username on the 2 sites I know of, so if you get e-mails don't worry it's just me.

Still can't reproduce anything. The validateip.php script doesn't even check usernames, and the reset on KingBast didn't produce any AJAX error like in the screenshot. The reset form submitted, then complained it can't do a reset on an admin.
All I can think is you had some DB corruption on some level.

Okay, if you cannot reproduce it then I have no idea what caused it. If I manage to reproduce it I will provide more details. Thanks.

I assume it said my username was inactive until I clicked the link in the email, that's how it appeared to me anyway.

By "the email", do you mean the IP validation email? Or is it a new account and you had to approve it as admin, or confirm it as the user?

It was my existing account. I turned that validation setting on and was presented with that view on the screenshot. Beneath the window, was the text that my username was not active (as I had entered it to recover my password). Maybe it wasn't active because I hadn't validated the new IP.

And yes I meant the IP validation email (which took me a while to find cos I had no idea what email address I had used, and wasn't expecting the IP validation to affect me).

I am having a very hard time piecing together the scenario here.

Please state an exact sequence of events, and paste full/exact error messages. I think you are saying you turned on IP validation, then you presumably logged out at some point, then back in at some point, then were asked to do an IP validation, and got an email about that, then presumably clicked the link. Then I wonder if you logged back out again, or somehow found your way to the reset password screen by other means. But I'm very unclear on this.

Current lack of clarity include:
- How you got to the reset password screen, if you had been asked to confirm your IP address (it should lock you out, and I don't think a logout button shows). Maybe you used another browser, maybe incognito mode, I'm not sure.
- What exactly the "not active" error is (there's no case of these words being used together to refer to a user account state in our language strings, I just did a search). I can't think of any error message we have regarding it either, and the IP validation is not turned to account approval (it's a very localised check that only runs at log in / cookie log in).
- If "below the window" in fact means "below the overlay", and is referring to the overlay in the attached screenshot (the window would be the browser window itself, overlays aren't actually windows, e.g. not draggable)
- What the error message in the overlay is (I realise it looks like a big blob of HTML, but there's likely an error message buried in it, if you could paste the whole text here I could find it)

Okay, from memory I turned on IP validation and didn't log out. I was immediately redirected to the message about needing to revalidate my IP. Not sure how I got to the reset password screen, but I think I was unsure of what email address I had used on my account and was hoping I would get a clue. Whilst at the reset password screen I entered my username and was informed that KingBast wasn't an active username. That is exactly what the message said just below the input for the username.

I wasn't able to capture the whole message in the screenshot, I just assumed it was a valid overlay that had displayed incorrectly. Cannot really reproduce it unless my IP changes again, which is bound to happen before too long.

"Not sure how I got to the reset password screen, but I think I was unsure of what email address I had used on my account and was hoping I would get a clue"

That's a cool idea. I just implemented support for us showing the target mail when a reset is made, or a masked version of it (e.g. [email protected]) for me.
However we'll have to leave that off by default because it's potentially a gross privacy violation for some sites, gives too much of a hint who anonymous users might be.

Automated response: Conflict: Cookie logins & IP validation & Reset password

If you have a cookie login, but you have high security and an unvalidated IP, then go to reset password, then you'll be told the username is not active and shown some junk HTML.

This is because the reset password script checks the given username using AJAX, and the AJAX notices a cookie login not fulfilled so tries and activates, finds an IP validate is needed, then fails to send the email due to a missing dependency within fast-loading AJAX scripts. This results in non-sense going back to the user and an incorrect 'missing username' perception.

For reference the error was: "xxx is not an active username". I was looking for "not active" in the verb sense, so couldn't find it. So exact error messages helps me a lot to search and trace the code. Thanks to your more detailed information I was able to reproduce and fix as above.

Thank you and apologies for not making it clearer. Also, that change which shows the masked email address is great and I will be turning it on ;)

P.S. First time I've ever clicked on a GitHub commit link and that one above gives me a 404. Just tried another commit link from another fixed bug and that one worked, so thought I would mention it (even though it's probably not important). This is what I do ;)