id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
26614	Use constant_time_compare() in checking session auth hash in login()	Alex Gaynor	nobody	"[https://github.com/django/django/blob/104727030c52a6cd5e85fdcc64dd6cfc906fc241/django/contrib/auth/__init__.py#L103 django.contrib.auth.login()] should use a constant time comparison so that an attacker is unable to gain information about the expected session hash.

The implication seem to be that an attacker might be able to guess the salted hmac of the password, which should be pretty much worthless, and they would also have to guess the session ID, so this is more hardening than a security vulnerability."	Cleanup/optimization	closed	contrib.auth	dev	Normal	fixed			Accepted	1	0	0	0	0	0