Calls to API endpoints spend most of their time verifying password hashes

[eerotal]

API endpoints seem to slow down considerably when a lot of sessions exist. The main bottleneck according to xdebug call graphs seems to be password_verify, which takes up to 95% of the call time in at least some endpoints. The password_verify calls in question are used to authenticate sessions based on session tokens, which means that currently each API call requires at least as many calls to password_verify as there are active sessions. As password_verify is quite a slow function by its nature, this is obviously a huge factor in the speed of the API.

There are at least two ways to speed up session authentication:

1. Decrease the cost used in hashing session tokens with password_hash(). This is a viable option but the cost shouldn't be decreased too much as that reduces the security of the hashing.
2. Implement a system that makes it possible to verify sessions without calling password_verify on each session token hash separately.