diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb
index 731f08a929d23..64f6c5764f975 100644
--- a/actionpack/lib/action_controller/session/cookie_store.rb
+++ b/actionpack/lib/action_controller/session/cookie_store.rb
@@ -168,8 +168,8 @@ def clear_old_cookie_value
     if "foo".respond_to?(:force_encoding)
       # constant-time comparison algorithm to prevent timing attacks
       def secure_compare(a, b)
-        a = a.force_encoding(Encoding::BINARY)
-        b = b.force_encoding(Encoding::BINARY)
+        a = a.dup.force_encoding(Encoding::BINARY)
+        b = b.dup.force_encoding(Encoding::BINARY)
     
         if a.length == b.length
           result = 0