diff --git a/rack-protection/lib/rack/protection/session_hijacking.rb b/rack-protection/lib/rack/protection/session_hijacking.rb
index f59f47d8..a949bffd 100644
--- a/rack-protection/lib/rack/protection/session_hijacking.rb
+++ b/rack-protection/lib/rack/protection/session_hijacking.rb
@@ -12,6 +12,7 @@ module Rack
     # from Firesheep. Since all headers taken into consideration might be
     # spoofed, too, this will not prevent all hijacking attempts.
     class SessionHijacking < Base
+      default_reaction :drop_session
       default_options :tracking_key => :tracking, :encrypt_tracking => true,
         :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE
           HTTP_VERSION]
@@ -20,10 +21,10 @@ module Rack
         session = session env
         key     = options[:tracking_key]
         if session.include? key
-          session[key].all? { |k,v| env[k] == encrypt(v) }
+          session[key].all? { |k,v| v == encrypt(env[k]) }
         else
           session[key] = {}
-          options[:track].each { |k| session[k] = encrypt(env[k]) }
+          options[:track].each { |k| session[key][k] = encrypt(env[k]) }
         end
       end
 
diff --git a/rack-protection/spec/session_hijacking_spec.rb b/rack-protection/spec/session_hijacking_spec.rb
index d341f27c..ff4cc2b2 100644
--- a/rack-protection/spec/session_hijacking_spec.rb
+++ b/rack-protection/spec/session_hijacking_spec.rb
@@ -2,9 +2,39 @@ require File.expand_path('../spec_helper.rb', __FILE__)
 
 describe Rack::Protection::SessionHijacking do
   it_behaves_like "any rack application"
-  it "accepts a session without changes to tracked parameters"
-  it "denies requests with a changing User-Agent header"
-  it "denies requests with a changing Accept-Encoding header"
-  it "denies requests with a changing Accept-Language header"
-  it "denies requests with a changing Version header"
+
+  it "accepts a session without changes to tracked parameters" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session
+    get '/', {}, 'rack.session' => session
+    session[:foo].should == :bar
+  end
+
+  it "denies requests with a changing User-Agent header" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'b'
+    session.should be_empty
+  end
+
+  it "denies requests with a changing Accept-Encoding header" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
+    session.should be_empty
+  end
+
+  it "denies requests with a changing Accept-Language header" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'b'
+    session.should be_empty
+  end
+
+  it "denies requests with a changing Version header"do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.0'
+    get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.1'
+    session.should be_empty
+  end
 end