Currently, if a user submits an identity and password to the login form, and the identity is not in the database, the form returns an error immediately. If the identity is in the database, the supplied password is checked against the stored hash, which takes a fraction of a second longer.
However, the difference is noticeable (about 100ms on my machine, using bcrypt with 10 rounds), which means that it would be possible for someone to determine if an account exists by the amount of time it takes for the login form to be processed.
I added a call to hash_password to the login() method to make the processing time when the user doesn't exist more equitable.
Added unneeded hashing operation on failed login to prevent detection…
… of registered identities because of timing.
VERY good thinking dude. Thanks!
So is this good to go?
Sorry, I thought I merged it in.