https://github.com/rack/rack/blob/master/lib/rack/session/co...
https://rdist.root.org/2009/05/28/timing-attack-in-google-ke...
Of course folks are much more likely to misuse their cookie secret than purposefully break a library function. That said you can look at the history of most projects that use HMAC to authenticate data and they did it wrong.
(e.g. https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d6...)
https://github.com/rack/rack/blob/master/lib/rack/session/co...
https://rdist.root.org/2009/05/28/timing-attack-in-google-ke...
Of course folks are much more likely to misuse their cookie secret than purposefully break a library function. That said you can look at the history of most projects that use HMAC to authenticate data and they did it wrong.
(e.g. https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d6...)