After the introduction of add_form_key() and check_form_key() calls to login_box() in phpBB 3.2.6 and later, if a banned user attempts to login, they receive a "The submitted form was invalid. Try submitting again." Instead of the message indicating that they are banned, and why. This is happening because check_ban() actually calls into login_box() recursively, but after the $user->session_id has been switched to a new session ID for the logging-on user. Therefore, now that check_form_key() has been introduced to login_box(), it is impossible for check_form_key() to succeed during this recursive call. Fix is to make login_box()'s use of check_form_key() conditional on whether IN_CHECK_BAN is defined, so that the recursive call does not attempt to re-validate the form_key again. Note the form_key has already been successfully verified by the original call into login_box(), prior to calling into check_ban() and attempting to recursively call login_box(). So the protection of why check_form_key() was added is still intact with this change. PHPBB3-16066