Update cookie.rb to support allow old HMAC generation

[Shaeli]

Hello,

I'm working on upgrading an old codebase that relies on the legacy session cookie format (with the --$HMAC suffix).

I noticed that after https://github.com/rack/rack/pull/1177/files (PR is not merged in rack/rack, but the code was merged manually in this repository based on this comment), the verification of old session cookies in this format is still supported when legacy options are set but new session cookies are no longer created with the --$HMAC suffix, even if legacy_generate_hmac and legacy_hmac_secret are provided.

The code comments suggest that backward compatibility should be maintained:

When a :secret option was supplied, the integrity of the encoded data was protected with HMAC-SHA1. This functionality is still supported using a set of a legacy options.

However, the code that previously appended the HMAC to new cookies appears to have been removed:

        if @secrets.first
          session_data << "--#{generate_hmac(session_data, @secrets.first)}"
        end

I couldn't find any other place where the --$HMAC suffix is added for new cookies.

Would you consider restoring this behavior when legacy_hmac_secret is set?

I'm happy to update / add tests if this is acceptable, but I wanted to get an opinion first as I'm not familiar with this codebase and could be wrong here :)

Thanks a lot !

[rafaelfranca]

Should we add a test for this case?