Do constant time compares for sessions for security reasons.

This commit is contained in:
Azareal 2018-07-20 17:58:59 +10:00
parent e62f6a4868
commit 60bf821f8a

View File

@ -250,7 +250,7 @@ func (auth *DefaultAuth) SessionCheck(w http.ResponseWriter, r *http.Request) (u
return &GuestUser, true
}
if user.Session == "" || session != user.Session {
if user.Session == "" || subtle.ConstantTimeCompare([]byte(session), []byte(user.Session)) != 1 {
return &GuestUser, false
}