From 4e40d2c5ce93a629086ceb88283aa1c1111d1f4b Mon Sep 17 00:00:00 2001
From: Renne Nissinen <rennex@iki.fi>
Date: Fri, 3 Jan 2014 04:33:50 +0200
Subject: [PATCH] Ignore changing Accept-Encoding header, fixes #56

---
 rack-protection/lib/rack/protection/session_hijacking.rb | 6 +++---
 rack-protection/spec/session_hijacking_spec.rb           | 5 +++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/rack-protection/lib/rack/protection/session_hijacking.rb b/rack-protection/lib/rack/protection/session_hijacking.rb
index b6738ffe..4ab047a1 100644
--- a/rack-protection/lib/rack/protection/session_hijacking.rb
+++ b/rack-protection/lib/rack/protection/session_hijacking.rb
@@ -9,12 +9,12 @@ module Rack
     #
     # Tracks request properties like the user agent in the session and empties
     # the session if those properties change. This essentially prevents attacks
-    # from Firesheep. Since all headers taken into consideration might be
-    # spoofed, too, this will not prevent all hijacking attempts.
+    # from Firesheep. Since all headers taken into consideration can be
+    # spoofed, too, this will not prevent determined hijacking attempts.
     class SessionHijacking < Base
       default_reaction :drop_session
       default_options :tracking_key => :tracking, :encrypt_tracking => true,
-        :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE]
+        :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_LANGUAGE]
 
       def accepts?(env)
         session = session env
diff --git a/rack-protection/spec/session_hijacking_spec.rb b/rack-protection/spec/session_hijacking_spec.rb
index 1692aa9e..21cd13fd 100644
--- a/rack-protection/spec/session_hijacking_spec.rb
+++ b/rack-protection/spec/session_hijacking_spec.rb
@@ -17,11 +17,12 @@ describe Rack::Protection::SessionHijacking do
     session.should be_empty
   end
 
-  it "denies requests with a changing Accept-Encoding header" do
+  it "accepts requests with a changing Accept-Encoding header" do
+    # this is tested because previously it led to clearing the session
     session = {:foo => :bar}
     get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
     get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
-    session.should be_empty
+    session.should_not be_empty
   end
 
   it "denies requests with a changing Accept-Language header" do