move hash update later in authenticate_user call, as session cookie must be updated for bcrypt hash update to succeed.