Do constant time compares for sessions for security reasons.
This commit is contained in:
parent
e62f6a4868
commit
60bf821f8a
@ -250,7 +250,7 @@ func (auth *DefaultAuth) SessionCheck(w http.ResponseWriter, r *http.Request) (u
|
||||
return &GuestUser, true
|
||||
}
|
||||
|
||||
if user.Session == "" || session != user.Session {
|
||||
if user.Session == "" || subtle.ConstantTimeCompare([]byte(session), []byte(user.Session)) != 1 {
|
||||
return &GuestUser, false
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user