Context: On our install, the only supported authentication mechanism is Google.

We have a user who reports that he can't log in to Phabricator. When he tries to log in using Google, he's taken to /auth/validate/?expect=<username> and sees the message:

Login Failure
Login cookie was set correctly, but your login session is not valid. Try clearing cookies and logging in again.

This happens on all browsers, even after cleaning cookies. It even happens if I use ./bin/auth recover to give him a one-time login link.

I tried deleting his account with ./bin/destroy (he was subscribed to a couple tasks, so I manually removed the subscriber relations first). He then went through the new account creation flow using Google, created a brand-new account, and is having the exact same problems.

Other possibly relevant info:

• If I subscribe him to a task and then view the task, he appears as "<gray circle> <username>" -- the UI usually used for disabled accounts, but his is not disabled.
• If I subscribe him to a task, then go edit the task, the token for us name is gray (instead of blue).
• I see 4 cookies set for our domain: phsid, next_uri, phcid, and phusr. The value of phusr is his username.

Any idea what's going on?