diff --git a/user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java b/user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java
index 43702cc0794..05d95a5c79c 100644
--- a/user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java
+++ b/user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java
@@ -23,6 +23,8 @@
 import com.google.gwt.util.tools.shared.StringUtils;
 
 import java.lang.reflect.Method;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.Cookie;
@@ -115,8 +117,11 @@ protected void validateXsrfToken(RpcToken token, Method method)
     String expectedToken = StringUtils.toHexString(
         Md5Utils.getMd5Digest(sessionCookie.getValue().getBytes()));
     XsrfToken xsrfToken = (XsrfToken) token;
+    String providedToken = xsrfToken.getToken();
 
-    if (!expectedToken.equals(xsrfToken.getToken())) {
+    if (providedToken == null || !MessageDigest.isEqual(
+        expectedToken.getBytes(StandardCharsets.UTF_8),
+        providedToken.getBytes(StandardCharsets.UTF_8))) {
       throw new RpcTokenException("Invalid XSRF token");
     }
   }