From ae46756c37239eb4a195b2784f74135f37417725 Mon Sep 17 00:00:00 2001
From: benalavi <benalavi@gmail.com>
Date: Thu, 7 May 2009 19:51:09 -0700
Subject: [PATCH] changed CookieStore to marshall/unmarshall a sorted array to ensure consistent cookie value as hashes are unordered

---
 .../middleware/session/cookie_store.rb             |    4 ++--
 .../test/dispatch/session/cookie_store_test.rb     |    6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
index 547a2d2..03ed5e9 100644
--- a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
@@ -149,12 +149,12 @@ module ActionDispatch
 
         # Marshal a session hash into safe cookie data. Include an integrity hash.
         def marshal(session)
-          @verifier.generate(persistent_session_id!(session))
+          @verifier.generate(persistent_session_id!(session).sort{ |a, b| a[0].to_s <=> b[0].to_s })
         end
 
         # Unmarshal cookie data to a hash and verify its integrity.
         def unmarshal(cookie)
-          persistent_session_id!(@verifier.verify(cookie)) if cookie
+          persistent_session_id!(Hash[*@verifier.verify(cookie).flatten]) if cookie
         rescue ActiveSupport::MessageVerifier::InvalidSignature
           nil
         end
diff --git a/actionpack/test/dispatch/session/cookie_store_test.rb b/actionpack/test/dispatch/session/cookie_store_test.rb
index 3090a70..2a8f5fe 100644
--- a/actionpack/test/dispatch/session/cookie_store_test.rb
+++ b/actionpack/test/dispatch/session/cookie_store_test.rb
@@ -10,7 +10,7 @@ class CookieStoreTest < ActionController::IntegrationTest
                      :key => SessionKey, :secret => SessionSecret)
 
   Verifier = ActiveSupport::MessageVerifier.new(SessionSecret, 'SHA1')
-  SignedBar = Verifier.generate(:foo => "bar", :session_id => ActiveSupport::SecureRandom.hex(16))
+  SignedBar = Verifier.generate([[:foo, 'bar'], [:session_id, ActiveSupport::SecureRandom.hex(16)]])
 
   class TestController < ActionController::Base
     def no_session_access
@@ -23,9 +23,9 @@ class CookieStoreTest < ActionController::IntegrationTest
 
     def set_session_value
       session[:foo] = "bar"
-      render :text => Rack::Utils.escape(Verifier.generate(session.to_hash))
+      render :text => Rack::Utils.escape(Verifier.generate(session.to_hash.sort{ |a, b| a[0].to_s <=> b[0].to_s }))
     end
-
+    
     def get_session_value
       render :text => "foo: #{session[:foo].inspect}"
     end
-- 
1.5.5.1