Skip to content
Browse files

Fix for not having and old secret like Sinatra :)

  • Loading branch information...
1 parent e20baec commit f8e86b295879083c2dbb992637bf0f6c2457fa35 Monica Wilkinson committed
Showing with 8 additions and 3 deletions.
  1. +4 −3 lib/rack/session/cookie.rb
  2. +4 −0 test/spec_session_cookie.rb
View
7 lib/rack/session/cookie.rb
@@ -104,10 +104,11 @@ def unpacked_cookie_data(env)
request = Rack::Request.new(env)
session_data = request.cookies[@key]
- if (@secret || @old_secret) && session_data
+ if @secret && session_data
session_data, digest = session_data.split("--")
- if (digest != generate_hmac(session_data, @secret)) && (digest != generate_hmac(session_data, @old_secret))
- session_data = nil
+ unless digest == generate_hmac(session_data, @secret)
+ # Clear the session data if secret doesn't match and old secret doesn't match
+ session_data = nil if (@old_secret.nil? || (digest != generate_hmac(session_data, @old_secret)))
end
end
View
4 test/spec_session_cookie.rb
@@ -147,6 +147,10 @@ def decode(str); @calls << :decode; str; end
res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor, :secret => 'test')).
get("/", "HTTP_COOKIE" => cookie)
res.body.should.equal '{"counter"=>3}'
+ cookie = res["Set-Cookie"]
+ res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor, :secret => 'another secret')).
+ get("/", "HTTP_COOKIE" => cookie)
+ res.body.should.equal '{"counter"=>1}'
end
it "loads from a cookie wih accept-only integrity hash for graceful key rotation" do

0 comments on commit f8e86b2

Please sign in to comment.
Something went wrong with that request. Please try again.