2 files changed, 7 insertions, 2 deletions

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 3477aa8b29..f2f3150b56 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -2,6 +2,7 @@ require 'active_support/core_ext/hash/keys'
 require 'active_support/key_generator'
 require 'active_support/message_verifier'
 require 'active_support/json'
+require 'rack/utils'
 
 module ActionDispatch
   class Request
@@ -337,7 +338,7 @@ module ActionDispatch
       end
 
       def to_header
-        @cookies.map { |k,v| "#{k}=#{v}" }.join ';'
+        @cookies.map { |k,v| "#{escape(k)}=#{escape(v)}" }.join '; '
       end
 
       def handle_options(options) #:nodoc:
@@ -419,6 +420,10 @@ module ActionDispatch
 
       private
 
+      def escape(string)
+        ::Rack::Utils.escape(string)
+      end
+
       def make_set_cookie_header(header)
         header = @set_cookies.inject(header) { |m, (k, v)|
           if write_cookie?(v)
diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
index 429a98f236..dec9c60ef2 100644
--- a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
@@ -23,7 +23,7 @@ module ActionDispatch
     # goes a step further than signed cookies in that encrypted cookies cannot
     # be altered or read by users. This is the default starting in Rails 4.
     #
-    # If you have both secret_token and secret_key base set, your cookies will
+    # If you have both secret_token and secret_key_base set, your cookies will
     # be encrypted, and signed cookies generated by Rails 3 will be
     # transparently read and encrypted to provide a smooth upgrade path.
     #