diff --git a/session-manager/session_auth.py b/session-manager/session_auth.py
index 83f2af3..c81491c 100644
--- a/session-manager/session_auth.py
+++ b/session-manager/session_auth.py
@@ -83,8 +83,8 @@ class SessionTokenManager:
 
         session_data = self._session_tokens[session_id]
 
-        # Check if token matches
-        if session_data["token"] != token:
+        # Check if token matches using constant-time comparison to prevent timing attacks
+        if not secrets.compare_digest(session_data["token"], token):
             return False, "Invalid token"
 
         # Check if token has expired
@@ -212,7 +212,7 @@ def revoke_session_auth_token(session_id: str) -> bool:
 
 def rotate_session_auth_token(session_id: str) -> Optional[str]:
     """Rotate a session authentication token."""
-    return _session_token_manager.rotate_session_auth_token(session_id)
+    return _session_token_manager.rotate_session_token(session_id)
 
 
 def cleanup_expired_auth_tokens() -> int: