store hashed id, send public id

lib/rack/session/abstract/id.rb

@@ -26,11 +26,21 @@ def initialize(public_id)
         @public_id = public_id
       end
 
+      def private_id
+        hash_sid public_id
+      end
+
       alias :cookie_value :public_id
 
       def empty?; false; end
       def to_s; raise; end
       def inspect; public_id.inspect; end
+
+      private
+
+      def hash_sid(sid)
+        Digest::SHA256.hexdigest(sid)
+      end
     end
 
     module Abstract

lib/rack/session/memcache.rb

@@ -42,15 +42,15 @@ def initialize(app, options={})
       def generate_sid
         loop do
           sid = super
-          break sid unless @pool.get(sid.public_id, true)
+          break sid unless @pool.get(sid.private_id, true)
         end
       end
 
       def get_session(env, sid)
         with_lock(env) do
-          unless !sid.nil? and session = @pool.get(sid.public_id)
+          unless !sid.nil? and session = @pool.get(sid.private_id)
             sid, session = generate_sid, {}
-            unless /^STORED/ =~ @pool.add(sid.public_id, session)
+            unless /^STORED/ =~ @pool.add(sid.private_id, session)
               raise "Session collision on '#{sid.inspect}'"
             end
           end
@@ -63,14 +63,14 @@ def set_session(env, session_id, new_session, options)
         expiry = expiry.nil? ? 0 : expiry + 1
 
         with_lock(env) do
-          @pool.set session_id.public_id, new_session, expiry
+          @pool.set session_id.private_id, new_session, expiry
           session_id
         end
       end
 
       def destroy_session(env, session_id, options)
         with_lock(env) do
-          @pool.delete(session_id.public_id)
+          @pool.delete(session_id.private_id)
           generate_sid unless options[:drop]
         end
       end

lib/rack/session/pool.rb

@@ -43,24 +43,24 @@ def generate_sid
 
       def get_session(env, sid)
         with_lock(env) do
-          unless !sid.nil? and session = @pool[sid.public_id]
+          unless !sid.nil? and session = @pool[sid.private_id]
             sid, session = generate_sid, {}
-            @pool.store sid.public_id, session
+            @pool.store sid.private_id, session
           end
           [sid, session]
         end
       end
 
       def set_session(env, session_id, new_session, options)
         with_lock(env) do
-          @pool.store session_id.public_id, new_session
+          @pool.store session_id.private_id, new_session
           session_id
         end
       end
 
       def destroy_session(env, session_id, options)
         with_lock(env) do
-          @pool.delete(session_id.public_id)
+          @pool.delete(session_id.private_id)
           if options[:drop]
             NullSessionId.new
           else

test/spec_session_memcache.rb

@@ -225,11 +225,11 @@
       req = Rack::MockRequest.new(pool)
 
       res0 = req.get("/")
-      session_id = (cookie = res0["Set-Cookie"])[session_match, 1]
-      ses0 = pool.pool.get(session_id, true)
+      session_id = Rack::Session::SessionId.new (cookie = res0["Set-Cookie"])[session_match, 1]
+      ses0 = pool.pool.get(session_id.private_id, true)
 
       req.get("/", "HTTP_COOKIE" => cookie)
-      ses1 = pool.pool.get(session_id, true)
+      ses1 = pool.pool.get(session_id.private_id, true)
 
       ses1.should.not.equal ses0
     end