lib/rack/session/cookie.rb in rack-1.4.7 vs lib/rack/session/cookie.rb in rack-1.5.0.beta.1

@@ -59,10 +59,11 @@
           def encode(str)
             super(::Marshal.dump(str))
           end
 
           def decode(str)
+            return unless str
             ::Marshal.load(super(str)) rescue nil
           end
         end
       end
 
@@ -95,11 +96,11 @@
         super(app, options.merge!(:cookie_only => true))
       end
 
       private
 
-      def load_session(env)
+      def get_session(env, sid)
         data = unpacked_cookie_data(env)
         data = persistent_session_id!(data)
         [data["session_id"], data]
       end
 
@@ -112,18 +113,11 @@
           request = Rack::Request.new(env)
           session_data = request.cookies[@key]
 
           if @secrets.size > 0 && session_data
             session_data, digest = session_data.split("--")
-
-            if session_data && digest
-              ok = @secrets.any? do |secret|
-                secret && Rack::Utils.secure_compare(digest, generate_hmac(session_data, secret))
-              end
-            end
-
-            session_data = nil unless ok
+            session_data = nil unless digest_match?(session_data, digest)
           end
 
           coder.decode(session_data) || {}
         end
       end
@@ -132,22 +126,16 @@
         data ||= {}
         data["session_id"] ||= sid || generate_sid
         data
       end
 
-      # Overwrite set cookie to bypass content equality and always stream the cookie.
-
-      def set_cookie(env, headers, cookie)
-        Utils.set_cookie_header!(headers, @key, cookie)
-      end
-
       def set_session(env, session_id, session, options)
         session = session.merge("session_id" => session_id)
         session_data = coder.encode(session)
 
         if @secrets.first
-          session_data = "#{session_data}--#{generate_hmac(session_data, @secrets.first)}"
+          session_data << "--#{generate_hmac(session_data, @secrets.first)}"
         end
 
         if session_data.size > (4096 - @key.size)
           env["rack.errors"].puts("Warning! Rack::Session::Cookie data size exceeds 4K.")
           nil
@@ -157,9 +145,16 @@
       end
 
       def destroy_session(env, session_id, options)
         # Nothing to do here, data is in the client
         generate_sid unless options[:drop]
+      end
+
+      def digest_match?(data, digest)
+        return unless data && digest
+        @secrets.any? do |secret|
+          digest == generate_hmac(data, secret)
+        end
       end
 
       def generate_hmac(data, secret)
         OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data)
       end