Update cookie.rb to still allow old HMAC generation

Shaeli · ioquatix · commit 06835f18c5bf · 2025-10-03T14:09:26.000+13:00
I could be wrong, but I think that https://github.com/rack/rack/pull/1177/files is not backward compatible. It still allows to verify old sessions cookies with the `--$HMAC` format when using a set of a legacy options, but it doesn't allow to create cookies sessions with the old `--$HMAC` format, even with `legacy_generate_hmac` and `legacy_hmac_secret` are set. Comment in the code mentions this is backward compatible with the correct options, but still ``` if @Secrets.first session_data << "--#{generate_hmac(session_data, @Secrets.first)}" end ``` is removed and I don't see any other place where the `--$HMAC` could be set. This is adding it back.
diff --git a/lib/rack/session/cookie.rb b/lib/rack/session/cookie.rb
@@ -266,6 +266,10 @@ def write_session(req, session_id, session, options)
         session = session.merge("session_id" => session_id)
         session_data = encode_session_data(session)
 
+        if @legacy_hmac_secret
+          session_data << "--#{legacy_generate_hmac(session_data)}"
+        end
+
         if session_data.size > (4096 - @key.size)
           req.get_header(RACK_ERRORS).puts("Warning! Rack::Session::Cookie data size exceeds 4K.")
           nil
