lib/lotus/action/csrf_protection.rb in lotusrb-0.5.0 vs lib/lotus/action/csrf_protection.rb in lotusrb-0.6.0

@@ -127,10 +127,10 @@
       #
       # @since 0.4.0
       # @api private
       def invalid_csrf_token?
         verify_csrf_token? &&
-          session[CSRF_TOKEN] != params[CSRF_TOKEN]
+          ! ::Rack::Utils.secure_compare(session[CSRF_TOKEN], params[CSRF_TOKEN])
       end
 
       # Generates a random CSRF Token
       #
       # @since 0.4.0