diff --git a/app/Http/Middleware/Authenticate.php b/app/Http/Middleware/Authenticate.php
index 6bb6f4dc7765..38f49090dc20 100644
--- a/app/Http/Middleware/Authenticate.php
+++ b/app/Http/Middleware/Authenticate.php
@@ -61,7 +61,8 @@ class Authenticate
             } elseif ($invitation = $this->getInvitation($request->invitation_key)) {
                 $contact = $invitation->contact;
                 Session::put('contact_key', $contact->contact_key);
-            } else {
+            }
+            if (! $contact) {
                 return \Redirect::to('client/sessionexpired');
             }
             $account = $contact->account;
@@ -109,6 +110,7 @@ class Authenticate
 
         // check for extra params at end of value (from website feature)
         list($key) = explode('&', $key);
+        $key = substr($key, 0, RANDOM_KEY_LENGTH);
 
         $invitation = Invitation::withTrashed()->where('invitation_key', '=', $key)->first();
         if ($invitation && ! $invitation->is_deleted) {
diff --git a/app/Ninja/Repositories/InvoiceRepository.php b/app/Ninja/Repositories/InvoiceRepository.php
index 89ec3e0ff00a..969c2168faf3 100644
--- a/app/Ninja/Repositories/InvoiceRepository.php
+++ b/app/Ninja/Repositories/InvoiceRepository.php
@@ -847,6 +847,7 @@ class InvoiceRepository extends BaseRepository
     {
         // check for extra params at end of value (from website feature)
         list($invitationKey) = explode('&', $invitationKey);
+        $invitationKey = substr($invitationKey, 0, RANDOM_KEY_LENGTH);
 
         /** @var \App\Models\Invitation $invitation */
         $invitation = Invitation::where('invitation_key', '=', $invitationKey)->first();
diff --git a/resources/views/accounts/client_portal.blade.php b/resources/views/accounts/client_portal.blade.php
index 6b8f17fde7a1..ac316345e8d1 100644
--- a/resources/views/accounts/client_portal.blade.php
+++ b/resources/views/accounts/client_portal.blade.php
@@ -347,7 +347,7 @@
 &lt;script language="javascript"&gt;
 var iframe = document.getElementById('invoiceIFrame');
 iframe.src = '{{ rtrim(SITE_URL ,'/') }}/view/'
-             + window.location.search.substring(1);
+             + window.location.search.substring(1, 33);
 &lt;/script&gt;</pre>
                 <p>{{ trans('texts.iframe_url_help2') }}</p>
                 <p><b>{{ trans('texts.iframe_url_help3') }}</b></p>
