Timing attack vector for remember me token

The current remember_me token verification process leaves the application open to a timing attack. Since the default is for the token to be stored as a cookie and for cookies to be encrypted, an attacker would have to know the application secret to exploit this. However, should a custom guard be used or cookies not be encrypted, it becomes possible to tease this value out. The proposed change switches to comparing the token using a constant-time comparison. This makes it impossible to learn the value of the token by timing responses, independently of guard or encryption settings.