Fixed timing attack in signature verification in the cookie session s… …

…tore by replacing = with secure-compare. Adapted from http://codahale.com/a-lesson-in-timing-attacks/ Not using Java's MessageDigest.isEqual since that had a vulnerability until recently