Aaron pointed out that when checking the Token cookie, we use a string comparison, which could allow someone to brute-force the correct token faster than brute-forcing the entire key space.
$passwordCorrect = ( strlen( $token ) && $token === $request->getCookie( 'Token' ) );
This should use a constant time comparison (xor and check if the result > 1)
Version: unspecified
Severity: normal