machine key is only mainly important if using encrypted passwords it is not used with plain text or hashed though it still can be a factor because the authentication cookie will use the machine key. when using encrypted passwords the machine key is used as part of the encryption of the password stored in the database, therefore if the machine key changes when using encrypted passwords it will not be able to decrypt it so login will fail. When using hashed password the machine key is not a factor in hashing the password so it can change and login will still work.
The main thing I want you to realize is that if login fails by not matching the user or password it will not redirect it will show an error on the login page saying that login failed. The fact that it does redirect means authentication success, it sets the authentication cookie and then does the redirect. But apparently after the redirect you do not appear logged in to the site so it seems that either something prevented setting the cookie or the cookie does not appear as valid. That is why I said make sure no other web.config files are lying around. If ther eis another web.config file somewhere in a sub folder with a different machine key then it will not match. Make sure there is no web.config file in the /Secure folder or in the skin folders or anywhere other than root.
LegacyCryptoHelper was never used for authentication so it is not a factor.
CheckMD5PasswordHashAsFallback only applies with hashed passwords since we changed to stronger hashing if the user had the old weaker hash it could retry if authentication fails using the older weaker hash, if that authentication succeeds then the user data is updated to the new stronger hash.
But again authentication failure does not result in a redirect so the problem is not authentication it is somehow a problem with the authentication cookie. ie if you type in a wrong password on purpose it will not redirect it will show an error. The fact that it redirects means it is authenticating but then on the next request it somehow doesn't accept the authentication cookie.
You should also look in the mojoPortal log to see if it is logging anything that may give a clue to the problem.
You could also use a tool like fiddler to watch the web requests and inspect the cookies. Then you would at least know if the browser is sending the cookie in the request headers or not after authentication.