diff --git a/lib/rack/session/cookie.rb b/lib/rack/session/cookie.rb
index ab61dadb8..ed9ee588b 100644
--- a/lib/rack/session/cookie.rb
+++ b/lib/rack/session/cookie.rb
@@ -106,8 +106,10 @@ def unpacked_cookie_data(env)
           if @secrets.size > 0 && session_data
             session_data, digest = session_data.split("--")
 
-            ok = @secrets.any? do |secret|
-              secret && digest == generate_hmac(session_data, secret)
+            if session_data && digest
+              ok = @secrets.any? do |secret|
+                secret && digest == generate_hmac(session_data, secret)
+              end
             end
 
             session_data = nil unless ok
diff --git a/test/spec_session_cookie.rb b/test/spec_session_cookie.rb
index 7510f9b46..ab7d5188a 100644
--- a/test/spec_session_cookie.rb
+++ b/test/spec_session_cookie.rb
@@ -123,6 +123,10 @@ def decode(str); @calls << :decode; str; end
     res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor)).
       get("/", "HTTP_COOKIE" => "rack.session=blarghfasel")
     res.body.should.equal '{"counter"=>1}'
+
+    app = Rack::Session::Cookie.new(incrementor, :secret => 'test')
+    res = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => "rack.session=")
+    res.body.should.equal '{"counter"=>1}'
   end
 
   bigcookie = lambda do |env|
@@ -176,7 +180,7 @@ def decode(str); @calls << :decode; str; end
     response2 = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" =>
                                                tampered_with_cookie)
 
-    # Tampared cookie was ignored. Counter is back to 1.
+    # Tampered cookie was ignored. Counter is back to 1.
     response2.body.should.equal '{"counter"=>1}'
   end