From 60bf821f8a47ccc98623553de76d999d1821ed09 Mon Sep 17 00:00:00 2001
From: Azareal <azareal@users.noreply.github.com>
Date: Fri, 20 Jul 2018 17:58:59 +1000
Subject: [PATCH] Do constant time compares for sessions for security reasons.

---
 common/auth.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/auth.go b/common/auth.go
index 1457326d..a2394874 100644
--- a/common/auth.go
+++ b/common/auth.go
@@ -250,7 +250,7 @@ func (auth *DefaultAuth) SessionCheck(w http.ResponseWriter, r *http.Request) (u
 		return &GuestUser, true
 	}
 
-	if user.Session == "" || session != user.Session {
+	if user.Session == "" || subtle.ConstantTimeCompare([]byte(session), []byte(user.Session)) != 1 {
 		return &GuestUser, false
 	}