Skip to content

fix(cookies): use constant-time comparison for signature verification#3

Merged
LeeCheneler merged 2 commits into
mainfrom
fix/cookie-timing-attack
Dec 1, 2025
Merged

fix(cookies): use constant-time comparison for signature verification#3
LeeCheneler merged 2 commits into
mainfrom
fix/cookie-timing-attack

Conversation

@LeeCheneler

@LeeCheneler LeeCheneler commented Dec 1, 2025

Copy link
Copy Markdown
Contributor

Summary

  • Replace naive string comparison (===) with @std/crypto timingSafeEqual() to prevent timing attacks
  • Add documentation explaining why constant-time comparison is necessary
  • The previous implementation returned early on first mismatched character, allowing attackers to measure response times and incrementally guess signatures

Security Impact

Vulnerability: Timing attack on cookie signature verification

Severity: Medium - requires network-level timing measurements, but feasible with statistical analysis

Fix: Use constant-time comparison that takes the same amount of time regardless of where the mismatch occurs

Changes

// Before (vulnerable)
return signature === expectedSignature;

// After (secure)
return timingSafeEqual(a, b);

Test plan

  • All existing cookie tests pass (22 tests)
  • Signed cookie verification works correctly
  • Invalid signatures still rejected

🤖 Generated with Claude Code

@LeeCheneler @claude
fix(cookies): use constant-time comparison for signature verification
738b358 
Replace naive string comparison (===) with @std/crypto timingSafeEqual()
to prevent timing attacks. The previous implementation returned early on
the first mismatched character, allowing attackers to measure response
times and incrementally guess correct signatures byte-by-byte.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@LeeCheneler LeeCheneler enabled auto-merge (squash) December 1, 2025 21:40
@LeeCheneler LeeCheneler disabled auto-merge December 1, 2025 21:40
@LeeCheneler @claude
chore: bump version to 0.1.1
e0d5ff3 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@LeeCheneler LeeCheneler merged commit 7979b31 into main Dec 1, 2025
2 checks passed
@LeeCheneler LeeCheneler deleted the fix/cookie-timing-attack branch December 1, 2025 21:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LeeCheneler