I wonder why they recommend hashing server tokens in some cases. Is it so that someone who can read the database can’t hijack an account? Or am I misunderstanding why hashing is used?
More generally it protects against anybody who has access to the database, including bad actors if it's leaked.
I don't think it protects against timing attack because the common way of doing it is just to use sha256 and use the resulting hash to do a lookup in the database. This is not a fixed time operation
Exactly that. (Hijack session rather than account: any competently designed system should require re-auth before any action that would allow permanent account takeover).
