Node-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used.