RubyGems - rack - Versions diffs - 1.1.6 → 1.6.9 - Mend

rack 1.1.6 → 1.6.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (212) hide show

checksums.yaml +7 -0
data/COPYING +1 -1
data/HISTORY.md +375 -0
data/KNOWN-ISSUES +23 -0
data/README.rdoc +312 -0
data/Rakefile +124 -0
data/SPEC +125 -32
data/contrib/rack.png +0 -0
data/contrib/rack.svg +150 -0
data/contrib/rack_logo.svg +1 -1
data/contrib/rdoc.css +412 -0
data/example/protectedlobster.rb +1 -1
data/lib/rack/auth/abstract/handler.rb +4 -4
data/lib/rack/auth/abstract/request.rb +7 -5
data/lib/rack/auth/basic.rb +1 -1
data/lib/rack/auth/digest/md5.rb +7 -3
data/lib/rack/auth/digest/nonce.rb +1 -1
data/lib/rack/auth/digest/params.rb +7 -9
data/lib/rack/auth/digest/request.rb +10 -9
data/lib/rack/backports/uri/common_18.rb +56 -0
data/lib/rack/backports/uri/common_192.rb +52 -0
data/lib/rack/backports/uri/common_193.rb +29 -0
data/lib/rack/body_proxy.rb +39 -0
data/lib/rack/builder.rb +106 -22
data/lib/rack/cascade.rb +17 -6
data/lib/rack/chunked.rb +44 -24
data/lib/rack/commonlogger.rb +36 -13
data/lib/rack/conditionalget.rb +49 -17
data/lib/rack/config.rb +5 -0
data/lib/rack/content_length.rb +14 -6
data/lib/rack/content_type.rb +7 -1
data/lib/rack/deflater.rb +73 -15
data/lib/rack/directory.rb +18 -8
data/lib/rack/etag.rb +59 -9
data/lib/rack/file.rb +106 -44
data/lib/rack/handler/cgi.rb +11 -11
data/lib/rack/handler/fastcgi.rb +18 -6
data/lib/rack/handler/lsws.rb +2 -4
data/lib/rack/handler/mongrel.rb +22 -6
data/lib/rack/handler/scgi.rb +16 -8
data/lib/rack/handler/thin.rb +19 -4
data/lib/rack/handler/webrick.rb +72 -19
data/lib/rack/handler.rb +47 -14
data/lib/rack/head.rb +10 -2
data/lib/rack/lint.rb +260 -75
data/lib/rack/lobster.rb +13 -8
data/lib/rack/lock.rb +13 -3
data/lib/rack/logger.rb +0 -2
data/lib/rack/methodoverride.rb +27 -8
data/lib/rack/mime.rb +625 -167
data/lib/rack/mock.rb +78 -53
data/lib/rack/multipart/generator.rb +93 -0
data/lib/rack/multipart/parser.rb +253 -0
data/lib/rack/multipart/uploaded_file.rb +34 -0
data/lib/rack/multipart.rb +34 -0
data/lib/rack/nulllogger.rb +21 -2
data/lib/rack/recursive.rb +10 -5
data/lib/rack/reloader.rb +3 -2
data/lib/rack/request.rb +201 -74
data/lib/rack/response.rb +41 -28
data/lib/rack/rewindable_input.rb +15 -11
data/lib/rack/runtime.rb +16 -3
data/lib/rack/sendfile.rb +47 -29
data/lib/rack/server.rb +223 -47
data/lib/rack/session/abstract/id.rb +289 -30
data/lib/rack/session/cookie.rb +133 -44
data/lib/rack/session/memcache.rb +30 -56
data/lib/rack/session/pool.rb +19 -43
data/lib/rack/showexceptions.rb +53 -15
data/lib/rack/showstatus.rb +14 -7
data/lib/rack/static.rb +124 -12
data/lib/rack/tempfile_reaper.rb +22 -0
data/lib/rack/urlmap.rb +49 -15
data/lib/rack/utils/okjson.rb +600 -0
data/lib/rack/utils.rb +363 -361
data/lib/rack.rb +17 -23
data/rack.gemspec +11 -20
data/test/builder/anything.rb +5 -0
data/test/builder/comment.ru +4 -0
data/test/builder/end.ru +5 -0
data/test/builder/line.ru +1 -0
data/test/builder/options.ru +2 -0
data/test/cgi/assets/folder/test.js +1 -0
data/test/cgi/assets/fonts/font.eot +1 -0
data/test/cgi/assets/images/image.png +1 -0
data/test/cgi/assets/index.html +1 -0
data/test/cgi/assets/javascripts/app.js +1 -0
data/test/cgi/assets/stylesheets/app.css +1 -0
data/test/cgi/lighttpd.conf +26 -0
data/test/cgi/rackup_stub.rb +6 -0
data/test/cgi/sample_rackup.ru +5 -0
data/test/cgi/test +9 -0
data/test/cgi/test+directory/test+file +1 -0
data/test/cgi/test.fcgi +8 -0
data/test/cgi/test.ru +5 -0
data/test/gemloader.rb +10 -0
data/test/multipart/bad_robots +259 -0
data/test/multipart/binary +0 -0
data/test/multipart/content_type_and_no_filename +6 -0
data/test/multipart/empty +10 -0
data/test/multipart/fail_16384_nofile +814 -0
data/test/multipart/file1.txt +1 -0
data/test/multipart/filename_and_modification_param +7 -0
data/test/multipart/filename_and_no_name +6 -0
data/test/multipart/filename_with_escaped_quotes +6 -0
data/test/multipart/filename_with_escaped_quotes_and_modification_param +7 -0
data/test/multipart/filename_with_null_byte +7 -0
data/test/multipart/filename_with_percent_escaped_quotes +6 -0
data/test/multipart/filename_with_unescaped_percentages +6 -0
data/test/multipart/filename_with_unescaped_percentages2 +6 -0
data/test/multipart/filename_with_unescaped_percentages3 +6 -0
data/test/multipart/filename_with_unescaped_quotes +6 -0
data/test/multipart/ie +6 -0
data/test/multipart/invalid_character +6 -0
data/test/multipart/mixed_files +21 -0
data/test/multipart/nested +10 -0
data/test/multipart/none +9 -0
data/test/multipart/semicolon +6 -0
data/test/multipart/text +15 -0
data/test/multipart/three_files_three_fields +31 -0
data/test/multipart/webkit +32 -0
data/test/rackup/config.ru +31 -0
data/test/registering_handler/rack/handler/registering_myself.rb +8 -0
data/test/{spec_rack_auth_basic.rb → spec_auth_basic.rb} +23 -15
data/test/{spec_rack_auth_digest.rb → spec_auth_digest.rb} +56 -29
data/test/spec_body_proxy.rb +85 -0
data/test/spec_builder.rb +223 -0
data/test/{spec_rack_cascade.rb → spec_cascade.rb} +28 -15
data/test/{spec_rack_cgi.rb → spec_cgi.rb} +44 -31
data/test/spec_chunked.rb +101 -0
data/test/spec_commonlogger.rb +93 -0
data/test/spec_conditionalget.rb +102 -0
data/test/{spec_rack_config.rb → spec_config.rb} +6 -8
data/test/spec_content_length.rb +85 -0
data/test/spec_content_type.rb +45 -0
data/test/spec_deflater.rb +339 -0
data/test/{spec_rack_directory.rb → spec_directory.rb} +37 -10
data/test/spec_etag.rb +107 -0
data/test/{spec_rack_fastcgi.rb → spec_fastcgi.rb} +47 -29
data/test/spec_file.rb +221 -0
data/test/spec_handler.rb +72 -0
data/test/spec_head.rb +45 -0
data/test/{spec_rack_lint.rb → spec_lint.rb} +82 -60
data/test/spec_lobster.rb +58 -0
data/test/spec_lock.rb +164 -0
data/test/spec_logger.rb +23 -0
data/test/spec_methodoverride.rb +95 -0
data/test/spec_mime.rb +51 -0
data/test/{spec_rack_mock.rb → spec_mock.rb} +92 -38
data/test/{spec_rack_mongrel.rb → spec_mongrel.rb} +46 -53
data/test/spec_multipart.rb +600 -0
data/test/spec_nulllogger.rb +20 -0
data/test/spec_recursive.rb +72 -0
data/test/spec_request.rb +1227 -0
data/test/spec_response.rb +407 -0
data/test/spec_rewindable_input.rb +118 -0
data/test/spec_runtime.rb +49 -0
data/test/spec_sendfile.rb +130 -0
data/test/spec_server.rb +167 -0
data/test/spec_session_abstract_id.rb +53 -0
data/test/spec_session_cookie.rb +410 -0
data/test/{spec_rack_session_memcache.rb → spec_session_memcache.rb} +119 -71
data/test/{spec_rack_session_pool.rb → spec_session_pool.rb} +106 -69
data/test/spec_showexceptions.rb +85 -0
data/test/spec_showstatus.rb +103 -0
data/test/spec_static.rb +145 -0
data/test/spec_tempfile_reaper.rb +63 -0
data/test/{spec_rack_thin.rb → spec_thin.rb} +35 -35
data/test/{spec_rack_urlmap.rb → spec_urlmap.rb} +40 -19
data/test/spec_utils.rb +647 -0
data/test/spec_version.rb +17 -0
data/test/spec_webrick.rb +184 -0
data/test/static/another/index.html +1 -0
data/test/static/index.html +1 -0
data/test/testrequest.rb +78 -0
data/test/unregistered_handler/rack/handler/unregistered.rb +7 -0
data/test/unregistered_handler/rack/handler/unregistered_long_one.rb +7 -0
metadata +220 -239
data/RDOX +0 -0
data/README +0 -592
data/lib/rack/adapter/camping.rb +0 -22
data/test/spec_auth.rb +0 -57
data/test/spec_rack_builder.rb +0 -84
data/test/spec_rack_camping.rb +0 -55
data/test/spec_rack_chunked.rb +0 -62
data/test/spec_rack_commonlogger.rb +0 -61
data/test/spec_rack_conditionalget.rb +0 -41
data/test/spec_rack_content_length.rb +0 -43
data/test/spec_rack_content_type.rb +0 -30
data/test/spec_rack_deflater.rb +0 -127
data/test/spec_rack_etag.rb +0 -17
data/test/spec_rack_file.rb +0 -75
data/test/spec_rack_handler.rb +0 -43
data/test/spec_rack_head.rb +0 -30
data/test/spec_rack_lobster.rb +0 -45
data/test/spec_rack_lock.rb +0 -38
data/test/spec_rack_logger.rb +0 -21
data/test/spec_rack_methodoverride.rb +0 -60
data/test/spec_rack_nulllogger.rb +0 -13
data/test/spec_rack_recursive.rb +0 -77
data/test/spec_rack_request.rb +0 -594
data/test/spec_rack_response.rb +0 -221
data/test/spec_rack_rewindable_input.rb +0 -118
data/test/spec_rack_runtime.rb +0 -35
data/test/spec_rack_sendfile.rb +0 -86
data/test/spec_rack_session_cookie.rb +0 -92
data/test/spec_rack_showexceptions.rb +0 -21
data/test/spec_rack_showstatus.rb +0 -72
data/test/spec_rack_static.rb +0 -37
data/test/spec_rack_utils.rb +0 -557
data/test/spec_rack_webrick.rb +0 -130
data/test/spec_rackup.rb +0 -164

data/lib/rack/session/abstract/id.rb CHANGED Viewed

@@ -4,12 +4,163 @@
 require 'time'
 require 'rack/request'
 require 'rack/response'
+begin
+  require 'securerandom'
+rescue LoadError
+  # We just won't get securerandom
+end
 module Rack
   module Session
     module Abstract
+      ENV_SESSION_KEY = 'rack.session'.freeze
+      ENV_SESSION_OPTIONS_KEY = 'rack.session.options'.freeze
+      # SessionHash is responsible to lazily load the session from store.
+      class SessionHash
+        include Enumerable
+        attr_writer :id
+        def self.find(env)
+          env[ENV_SESSION_KEY]
+        end
+        def self.set(env, session)
+          env[ENV_SESSION_KEY] = session
+        end
+        def self.set_options(env, options)
+          env[ENV_SESSION_OPTIONS_KEY] = options.dup
+        end
+        def initialize(store, env)
+          @store = store
+          @env = env
+          @loaded = false
+        end
+        def id
+          return @id if @loaded or instance_variable_defined?(:@id)
+          @id = @store.send(:extract_session_id, @env)
+        end
+        def options
+          @env[ENV_SESSION_OPTIONS_KEY]
+        end
+        def each(&block)
+          load_for_read!
+          @data.each(&block)
+        end
+        def [](key)
+          load_for_read!
+          @data[key.to_s]
+        end
+        alias :fetch :[]
+        def has_key?(key)
+          load_for_read!
+          @data.has_key?(key.to_s)
+        end
+        alias :key? :has_key?
+        alias :include? :has_key?
+        def []=(key, value)
+          load_for_write!
+          @data[key.to_s] = value
+        end
+        alias :store :[]=
+        def clear
+          load_for_write!
+          @data.clear
+        end
+        def destroy
+          clear
+          @id = @store.send(:destroy_session, @env, id, options)
+        end
+        def to_hash
+          load_for_read!
+          @data.dup
+        end
+        def update(hash)
+          load_for_write!
+          @data.update(stringify_keys(hash))
+        end
+        alias :merge! :update
+        def replace(hash)
+          load_for_write!
+          @data.replace(stringify_keys(hash))
+        end
+        def delete(key)
+          load_for_write!
+          @data.delete(key.to_s)
+        end
+        def inspect
+          if loaded?
+            @data.inspect
+          else
+            "#<#{self.class}:0x#{self.object_id.to_s(16)} not yet loaded>"
+          end
+        end
+        def exists?
+          return @exists if instance_variable_defined?(:@exists)
+          @data = {}
+          @exists = @store.send(:session_exists?, @env)
+        end
+        def loaded?
+          @loaded
+        end
+        def empty?
+          load_for_read!
+          @data.empty?
+        end
+        def keys
+          @data.keys
+        end
+        def values
+          @data.values
+        end
+      private
+        def load_for_read!
+          load! if !loaded? && exists?
+        end
+        def load_for_write!
+          load! unless loaded?
+        end
+        def load!
+          @id, session = @store.send(:load_session, @env)
+          @data = stringify_keys(session)
+          @loaded = true
+        end
+        def stringify_keys(other)
+          hash = {}
+          other.each do |key, value|
+            hash[key.to_s] = value
+          end
+          hash
+        end
+      end
       # ID sets up a basic framework for implementing an id based sessioning
       # service. Cookies sent to the client for maintaining sessions will only
@@ -21,7 +172,9 @@ module Rack
       #   'rack.session'
       # * :path, :domain, :expire_after, :secure, and :httponly set the related
       #   cookie options as by Rack::Response#add_cookie
-      # * :defer will not set a cookie in the response.
+      # * :skip will not a set a cookie in the response nor update the session state
+      # * :defer will not set a cookie in the response but still update the session
+      #   state if it is used with a backend
       # * :renew (implementation dependent) will prompt the generation of a new
       #   session id, and migration of data to be referenced at the new id. If
       #   :defer is set, it will be overridden and the cookie will be set.
@@ -34,9 +187,13 @@ module Rack
       # recommended to change its value.
       #
       # Is Rack::Utils::Context compatible.
+      #
+      # Not included by default; you must require 'rack/session/abstract/id'
+      # to use.
       class ID
         DEFAULT_OPTIONS = {
+          :key =>           'rack.session',
           :path =>          '/',
           :domain =>        nil,
           :expire_after =>  nil,
@@ -44,14 +201,19 @@ module Rack
           :httponly =>      true,
           :defer =>         false,
           :renew =>         false,
-          :sidbits =>       128
+          :sidbits =>       128,
+          :cookie_only =>   true,
+          :secure_random => (::SecureRandom rescue false)
         }
         attr_reader :key, :default_options
         def initialize(app, options={})
           @app = app
-          @key = options[:key] || "rack.session"
           @default_options = self.class::DEFAULT_OPTIONS.merge(options)
+          @key = @default_options.delete(:key)
+          @cookie_only = @default_options.delete(:cookie_only)
+          initialize_sid
         end
         def call(env)
@@ -59,40 +221,102 @@ module Rack
         end
         def context(env, app=@app)
-          load_session(env)
+          prepare_session(env)
           status, headers, body = app.call(env)
           commit_session(env, status, headers, body)
         end
         private
+        def initialize_sid
+          @sidbits = @default_options[:sidbits]
+          @sid_secure = @default_options[:secure_random]
+          @sid_length = @sidbits / 4
+        end
         # Generate a new session id using Ruby #rand.  The size of the
         # session id is controlled by the :sidbits option.
         # Monkey patch this to use custom methods for session id generation.
-        def generate_sid
-          "%0#{@default_options[:sidbits] / 4}x" %
-            rand(2**@default_options[:sidbits] - 1)
+        def generate_sid(secure = @sid_secure)
+          if secure
+            secure.hex(@sid_length)
+          else
+            "%0#{@sid_length}x" % Kernel.rand(2**@sidbits - 1)
+          end
+        rescue NotImplementedError
+          generate_sid(false)
+        end
+        # Sets the lazy session at 'rack.session' and places options and session
+        # metadata into 'rack.session.options'.
+        def prepare_session(env)
+          session_was                  = env[ENV_SESSION_KEY]
+          env[ENV_SESSION_KEY]         = session_class.new(self, env)
+          env[ENV_SESSION_OPTIONS_KEY] = @default_options.dup
+          env[ENV_SESSION_KEY].merge! session_was if session_was
         end
         # Extracts the session id from provided cookies and passes it and the
-        # environment to #get_session. It then sets the resulting session into
-        # 'rack.session', and places options and session metadata into
-        # 'rack.session.options'.
+        # environment to #get_session.
         def load_session(env)
+          sid = current_session_id(env)
+          sid, session = get_session(env, sid)
+          [sid, session || {}]
+        end
+        # Extract session id from request object.
+        def extract_session_id(env)
           request = Rack::Request.new(env)
-          session_id = request.cookies[@key]
+          sid = request.cookies[@key]
+          sid ||= request.params[@key] unless @cookie_only
+          sid
+        end
+        # Returns the current session id from the SessionHash.
+        def current_session_id(env)
+          env[ENV_SESSION_KEY].id
+        end
+        # Check if the session exists or not.
+        def session_exists?(env)
+          value = current_session_id(env)
+          value && !value.empty?
+        end
-          begin
-            session_id, session = get_session(env, session_id)
-            env['rack.session'] = session
-          rescue
-            env['rack.session'] = Hash.new
+        # Session should be committed if it was loaded, any of specific options like :renew, :drop
+        # or :expire_after was given and the security permissions match. Skips if skip is given.
+        def commit_session?(env, session, options)
+          if options[:skip]
+            false
+          else
+            has_session = loaded_session?(session) || forced_session_update?(session, options)
+            has_session && security_matches?(env, options)
           end
+        end
+        def loaded_session?(session)
+          !session.is_a?(session_class) || session.loaded?
+        end
+        def forced_session_update?(session, options)
+          force_options?(options) && session && !session.empty?
+        end
-          env['rack.session.options'] = @default_options.
-            merge(:id => session_id)
+        def force_options?(options)
+          options.values_at(:max_age, :renew, :drop, :defer, :expire_after).any?
+        end
+        def security_matches?(env, options)
+          return true unless options[:secure]
+          request = Rack::Request.new(env)
+          request.ssl?
         end
         # Acquires the session from the environment and the session id from
@@ -101,25 +325,52 @@ module Rack
         # response with the session's id.
         def commit_session(env, status, headers, body)
-          session = env['rack.session']
-          options = env['rack.session.options']
-          session_id = options[:id]
+          session = env[ENV_SESSION_KEY]
+          options = session.options
+          if options[:drop] || options[:renew]
+            session_id = destroy_session(env, session.id || generate_sid, options)
+            return [status, headers, body] unless session_id
+          end
+          return [status, headers, body] unless commit_session?(env, session, options)
-          if not session_id = set_session(env, session_id, session, options)
+          session.send(:load!) unless loaded_session?(session)
+          session_id ||= session.id
+          session_data = session.to_hash.delete_if { |k,v| v.nil? }
+          if not data = set_session(env, session_id, session_data, options)
             env["rack.errors"].puts("Warning! #{self.class.name} failed to save session. Content dropped.")
           elsif options[:defer] and not options[:renew]
-            env["rack.errors"].puts("Defering cookie for #{session_id}") if $VERBOSE
+            env["rack.errors"].puts("Deferring cookie for #{session_id}") if $VERBOSE
           else
             cookie = Hash.new
-            cookie[:value] = session_id
-            cookie[:expires] = Time.now + options[:expire_after] unless options[:expire_after].nil?
-            Utils.set_cookie_header!(headers, @key, cookie.merge(options))
+            cookie[:value] = data
+            cookie[:expires] = Time.now + options[:expire_after] if options[:expire_after]
+            cookie[:expires] = Time.now + options[:max_age] if options[:max_age]
+            set_cookie(env, headers, cookie.merge!(options))
           end
           [status, headers, body]
         end
-        # All thread safety and session retrival proceedures should occur here.
+        # Sets the cookie back to the client with session id. We skip the cookie
+        # setting if the value didn't change (sid is the same) or expires was given.
+        def set_cookie(env, headers, cookie)
+          request = Rack::Request.new(env)
+          if request.cookies[@key] != cookie[:value] || cookie[:expires]
+            Utils.set_cookie_header!(headers, @key, cookie)
+          end
+        end
+        # Allow subclasses to prepare_session for different Session classes
+        def session_class
+          SessionHash
+        end
+        # All thread safety and session retrieval procedures should occur here.
         # Should return [session_id, session].
         # If nil is provided as the session id, generation of a new valid id
         # should occur within.
@@ -128,12 +379,20 @@ module Rack
           raise '#get_session not implemented.'
         end
-        # All thread safety and session storage proceedures should occur here.
-        # Should return true or false dependant on whether or not the session
-        # was saved or not.
+        # All thread safety and session storage procedures should occur here.
+        # Must return the session id if the session was saved successfully, or
+        # false if the session could not be saved.
         def set_session(env, sid, session, options)
           raise '#set_session not implemented.'
         end
+        # All thread safety and session destroy procedures should occur here.
+        # Should return a new session id or nil if options[:drop]
+        def destroy_session(env, sid, options)
+          raise '#destroy_session not implemented'
+        end
       end
     end
   end

data/lib/rack/session/cookie.rb CHANGED Viewed

@@ -1,15 +1,21 @@
 require 'openssl'
+require 'zlib'
 require 'rack/request'
 require 'rack/response'
+require 'rack/session/abstract/id'
 module Rack
   module Session
     # Rack::Session::Cookie provides simple cookie based session management.
-    # The session is a Ruby Hash stored as base64 encoded marshalled data
-    # set to :key (default: rack.session).
+    # By default, the session is a Ruby Hash stored as base64 encoded marshalled
+    # data set to :key (default: rack.session).  The object that encodes the
+    # session data is configurable and must respond to +encode+ and +decode+.
+    # Both methods must take a string and return a string.
+    #
     # When the secret key is set, cookie data is checked for data integrity.
+    # The old secret key is also accepted and allows graceful secret rotation.
     #
     # Example:
     #
@@ -17,17 +23,88 @@ module Rack
     #                                :domain => 'foo.com',
     #                                :path => '/',
     #                                :expire_after => 2592000,
-    #                                :secret => 'change_me'
+    #                                :secret => 'change_me',
+    #                                :old_secret => 'also_change_me'
     #
     #     All parameters are optional.
+    #
+    # Example of a cookie with no encoding:
+    #
+    #   Rack::Session::Cookie.new(application, {
+    #     :coder => Rack::Session::Cookie::Identity.new
+    #   })
+    #
+    # Example of a cookie with custom encoding:
+    #
+    #   Rack::Session::Cookie.new(application, {
+    #     :coder => Class.new {
+    #       def encode(str); str.reverse; end
+    #       def decode(str); str.reverse; end
+    #     }.new
+    #   })
+    #
+    class Cookie < Abstract::ID
+      # Encode session cookies as Base64
+      class Base64
+        def encode(str)
+          [str].pack('m')
+        end
+        def decode(str)
+          str.unpack('m').first
+        end
+        # Encode session cookies as Marshaled Base64 data
+        class Marshal < Base64
+          def encode(str)
+            super(::Marshal.dump(str))
+          end
+          def decode(str)
+            return unless str
+            ::Marshal.load(super(str)) rescue nil
+          end
+        end
+        # N.B. Unlike other encoding methods, the contained objects must be a
+        # valid JSON composite type, either a Hash or an Array.
+        class JSON < Base64
+          def encode(obj)
+            super(::Rack::Utils::OkJson.encode(obj))
+          end
+          def decode(str)
+            return unless str
+            ::Rack::Utils::OkJson.decode(super(str)) rescue nil
+          end
+        end
-    class Cookie
+        class ZipJSON < Base64
+          def encode(obj)
+            super(Zlib::Deflate.deflate(::Rack::Utils::OkJson.encode(obj)))
+          end
+          def decode(str)
+            return unless str
+            ::Rack::Utils::OkJson.decode(Zlib::Inflate.inflate(super(str)))
+          rescue
+            nil
+          end
+        end
+      end
+      # Use no encoding for session cookies
+      class Identity
+        def encode(str); str; end
+        def decode(str); str; end
+      end
+      attr_reader :coder
       def initialize(app, options={})
-        @app = app
-        @key = options[:key] || "rack.session"
-        @secret = options[:secret]
-        warn <<-MSG unless @secret
+        @secrets = options.values_at(:secret, :old_secret).compact
+        warn <<-MSG unless @secrets.size >= 1
         SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
         This poses a security threat. It is strongly recommended that you
         provide a secret to prevent exploits that may be possible from crafted
@@ -36,62 +113,74 @@ module Rack
         Called from: #{caller[0]}.
         MSG
-        @default_options = {:domain => nil,
-          :path => "/",
-          :expire_after => nil}.merge(options)
+        @coder  = options[:coder] ||= Base64::Marshal.new
+        super(app, options.merge!(:cookie_only => true))
       end
-      def call(env)
-        load_session(env)
-        status, headers, body = @app.call(env)
-        commit_session(env, status, headers, body)
+      private
+      def get_session(env, sid)
+        data = unpacked_cookie_data(env)
+        data = persistent_session_id!(data)
+        [data["session_id"], data]
       end
-      private
+      def extract_session_id(env)
+        unpacked_cookie_data(env)["session_id"]
+      end
-      def load_session(env)
-        request = Rack::Request.new(env)
-        session_data = request.cookies[@key]
+      def unpacked_cookie_data(env)
+        env["rack.session.unpacked_cookie_data"] ||= begin
+          request = Rack::Request.new(env)
+          session_data = request.cookies[@key]
-        if @secret && session_data
-          session_data, digest = session_data.split("--")
-          session_data = nil  unless Utils.secure_compare(digest, generate_hmac(session_data))
-        end
+          if @secrets.size > 0 && session_data
+            digest, session_data = session_data.reverse.split("--", 2)
+            digest.reverse! if digest
+            session_data.reverse! if session_data
+            session_data = nil unless digest_match?(session_data, digest)
+          end
-        begin
-          session_data = session_data.unpack("m*").first
-          session_data = Marshal.load(session_data)
-          env["rack.session"] = session_data
-        rescue
-          env["rack.session"] = Hash.new
+          coder.decode(session_data) || {}
         end
+      end
-        env["rack.session.options"] = @default_options.dup
+      def persistent_session_id!(data, sid=nil)
+        data ||= {}
+        data["session_id"] ||= sid || generate_sid
+        data
       end
-      def commit_session(env, status, headers, body)
-        session_data = Marshal.dump(env["rack.session"])
-        session_data = [session_data].pack("m*")
+      def set_session(env, session_id, session, options)
+        session = session.merge("session_id" => session_id)
+        session_data = coder.encode(session)
-        if @secret
-          session_data = "#{session_data}--#{generate_hmac(session_data)}"
+        if @secrets.first
+          session_data << "--#{generate_hmac(session_data, @secrets.first)}"
         end
         if session_data.size > (4096 - @key.size)
-          env["rack.errors"].puts("Warning! Rack::Session::Cookie data size exceeds 4K. Content dropped.")
+          env["rack.errors"].puts("Warning! Rack::Session::Cookie data size exceeds 4K.")
+          nil
         else
-          options = env["rack.session.options"]
-          cookie = Hash.new
-          cookie[:value] = session_data
-          cookie[:expires] = Time.now + options[:expire_after] unless options[:expire_after].nil?
-          Utils.set_cookie_header!(headers, @key, cookie.merge(options))
+          session_data
         end
+      end
-        [status, headers, body]
+      def destroy_session(env, session_id, options)
+        # Nothing to do here, data is in the client
+        generate_sid unless options[:drop]
+      end
+      def digest_match?(data, digest)
+        return unless data && digest
+        @secrets.any? do |secret|
+          Rack::Utils.secure_compare(digest, generate_hmac(data, secret))
+        end
       end
-      def generate_hmac(data)
-        OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, @secret, data)
+      def generate_hmac(data, secret)
+        OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data)
       end
     end