/ring forked from ring-clojure/ring

The session cookie store is susceptible to a timing attack during signature verification. #9

Merged
1 commit merged into from Dec 17, 2010
+11 −2

Labels

None yet

Milestone

No milestone

Assignees

No one assigned

1 participant

@yn
@yn
yn commented Dec 16, 2010

No description provided.

@yn yn Fixed timing attack in signature verification in the cookie session s… 
…tore by replacing = with secure-compare. Adapted from http://codahale.com/a-lesson-in-timing-attacks/ Not using Java's MessageDigest.isEqual since that had a vulnerability until recently
 0e68817
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment