From 06835f18c5bf930269a10b59528c01887ec91c44 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?El=C3=A9onore=20Carpentier?= <shaeli@github.com>
Date: Thu, 10 Jul 2025 14:03:45 +0200
Subject: [PATCH] Update cookie.rb to still allow old HMAC generation

I could be wrong, but I think that https://github.com/rack/rack/pull/1177/files is not backward compatible.
It still allows to verify old sessions cookies  with the `--$HMAC` format when using a set of a legacy options, but it doesn't allow to create cookies sessions with the old `--$HMAC` format, even with `legacy_generate_hmac` and `legacy_hmac_secret` are set.

Comment in the code mentions this is backward compatible with the correct options, but still

```
        if @secrets.first
          session_data << "--#{generate_hmac(session_data, @secrets.first)}"
        end
```

is removed and I don't see any other place where the `--$HMAC` could be set. This is adding it back.
---
 lib/rack/session/cookie.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/rack/session/cookie.rb b/lib/rack/session/cookie.rb
index 830a4e3..b724822 100644
--- a/lib/rack/session/cookie.rb
+++ b/lib/rack/session/cookie.rb
@@ -266,6 +266,10 @@ def write_session(req, session_id, session, options)
         session = session.merge("session_id" => session_id)
         session_data = encode_session_data(session)
 
+        if @legacy_hmac_secret
+          session_data << "--#{legacy_generate_hmac(session_data)}"
+        end
+
         if session_data.size > (4096 - @key.size)
           req.get_header(RACK_ERRORS).puts("Warning! Rack::Session::Cookie data size exceeds 4K.")
           nil