Merge branch '2.8'

* 2.8:
  removed usage of the deprecated StringUtils::equals() method
  Fix: Resolve tempdir symlink, not working on OSX
  fixed tests
  migrate session after remember me authentication
  prevent timing attacks in digest auth listener
  mitigate CSRF timing attack vulnerability
  fix potential timing attack issue
  [WebProfilerBundle] Added a top left border radius to the minified to…
  [Routing] Changing RouteCollectionBuilder::import() behavior to add to the builder
  [HttpKernel] Don't reset on shutdown but in FrameworkBundle/Test/KernelTestCase
  [Process] PhpExecutableFinder: add regression test

1 files changed, 1 insertions, 1 deletions

diff --git a/Http/RememberMe/PersistentTokenBasedRememberMeServices.php b/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
index a8c086c..0a19d70 100644
--- a/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
+++ b/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
@@ -71,7 +71,7 @@ class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
         list($series, $tokenValue) = $cookieParts;
         $persistentToken = $this->tokenProvider->loadTokenBySeries($series);
 
-        if ($persistentToken->getTokenValue() !== $tokenValue) {
+        if (!hash_equals($persistentToken->getTokenValue(), $tokenValue)) {
             throw new CookieTheftException('This token was already used. The account is possibly compromised.');
         }