1 files changed, 13 insertions, 11 deletions

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index b3831649a8..0213987c99 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -264,9 +264,9 @@ module ActionDispatch
         end
 
         def upgrade_legacy_hmac_aes_cbc_cookies?
-          request.secret_key_base.present?                       &&
-            request.encrypted_signed_cookie_salt.present?        &&
-            request.encrypted_cookie_salt.present?               &&
+          request.secret_key_base.present? &&
+            request.encrypted_signed_cookie_salt.present? &&
+            request.encrypted_cookie_salt.present? &&
             request.use_authenticated_cookie_encryption
         end
 
@@ -570,12 +570,12 @@ module ActionDispatch
         secret = request.key_generator.generate_key(request.signed_cookie_salt)
         @verifier = ActiveSupport::MessageVerifier.new(secret, digest: signed_cookie_digest, serializer: SERIALIZER)
 
-        request.cookies_rotations.signed.each do |rotation_options|
-          @verifier.rotate serializer: SERIALIZER, **rotation_options
+        request.cookies_rotations.signed.each do |*secrets, **options|
+          @verifier.rotate(*secrets, serializer: SERIALIZER, **options)
         end
 
         if upgrade_legacy_signed_cookies?
-          @verifier.rotate raw_key: request.secret_token, serializer: SERIALIZER
+          @verifier.rotate request.secret_token, serializer: SERIALIZER
         end
       end
 
@@ -603,14 +603,16 @@ module ActionDispatch
         secret = request.key_generator.generate_key(request.authenticated_encrypted_cookie_salt, key_len)
         @encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: encrypted_cookie_cipher, serializer: SERIALIZER)
 
-        request.cookies_rotations.encrypted.each do |rotation_options|
-          @encryptor.rotate serializer: SERIALIZER, **rotation_options
+        request.cookies_rotations.encrypted.each do |*secrets, **options|
+          @encryptor.rotate(*secrets, serializer: SERIALIZER, **options)
         end
 
         if upgrade_legacy_hmac_aes_cbc_cookies?
-          @encryptor.rotate \
-            key_generator: request.key_generator, salt: request.encrypted_cookie_salt, signed_salt: request.encrypted_signed_cookie_salt,
-            cipher: "aes-256-cbc", digest: digest, serializer: SERIALIZER
+          legacy_cipher = "aes-256-cbc"
+          secret = request.key_generator.generate_key(request.encrypted_cookie_salt, ActiveSupport::MessageEncryptor.key_len(legacy_cipher))
+          sign_secret = request.key_generator.generate_key(request.encrypted_signed_cookie_salt)
+
+          @encryptor.rotate(secret, sign_secret, cipher: legacy_cipher, digest: digest, serializer: SERIALIZER)
         end
 
         if upgrade_legacy_signed_cookies?