Merge pull request #523 from bdimcheff/fix-missing-digest

prevent crash when cookie doesn't contain "--"

2 files changed, 6 insertions, 1 deletions

diff --git a/lib/rack/session/cookie.rb b/lib/rack/session/cookie.rb
index 63c426f0..9023de9f 100644
--- a/lib/rack/session/cookie.rb
+++ b/lib/rack/session/cookie.rb
@@ -55,7 +55,7 @@ module Rack
 
         if @secret && session_data
           session_data, digest = session_data.split("--")
-          session_data = nil  unless Utils.secure_compare(digest, generate_hmac(session_data))
+          session_data = nil  unless session_data && digest && Utils.secure_compare(digest, generate_hmac(session_data))
         end
 
         begin
diff --git a/test/spec_rack_session_cookie.rb b/test/spec_rack_session_cookie.rb
index 08e3a3f7..9c972976 100644
--- a/test/spec_rack_session_cookie.rb
+++ b/test/spec_rack_session_cookie.rb
@@ -52,6 +52,11 @@ context "Rack::Session::Cookie" do
     res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor)).
       get("/", "HTTP_COOKIE" => "rack.session=blarghfasel")
     res.body.should.equal '{"counter"=>1}'
+
+    app = Rack::Session::Cookie.new(incrementor, :secret => 'test')
+    res = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => "rack.session=")
+    res.body.should.equal '{"counter"=>1}'
+
   end
 
   bigcookie = lambda { |env|