diff --git a/kallithea/controllers/login.py b/kallithea/controllers/login.py
--- a/kallithea/controllers/login.py
+++ b/kallithea/controllers/login.py
@@ -79,8 +79,8 @@ class LoginController(BaseController):
             # import Login Form validator class
             login_form = LoginForm()()
             try:
+                # login_form will check username/password using ValidAuth and report failure to the user
                 c.form_result = login_form.to_python(dict(request.POST))
-                # form checks for username/password, now we're authenticated
                 username = c.form_result['username']
                 user = User.get_by_username_or_email(username)
                 assert user is not None  # the same user get just passed in the form validation
@@ -102,6 +102,7 @@ class LoginController(BaseController):
                 # Exception itself
                 h.flash(e, 'error')
             else:
+                # login_form already validated the password - now set the session cookie accordingly
                 auth_user = log_in_user(user, c.form_result['remember'], is_external_auth=False, ip_addr=request.ip_addr)
                 if auth_user:
                     raise HTTPFound(location=c.came_from)