Why "sha1(mac) == sha1(val)" ?

[lyenliang]

I'd like to know why use "sha1(mac) == sha1(val)" instead of "mac == val" at line 42 in index.js. Is this some kind of security issue? Is it necessary to use sha1 here?

[lyenliang]

I've got the answer on stackoverflow.

[natevw]

If anyone else is wondering this, there is more discussion to be found starting at https://github.com/tj/node-cookie-signature/issues/15

[rlidwka]

mac == val is prone to timing attacks. You can look for "timing attacks" in google/wiki/etc., there are plenty of information about it.

sha1(mac) == sha1(val) is presumed to be immune to it, because sha1 function output effectively randomizes bits.