For some reason the following won't work:

use Rack::Session::Cookie,  :secret=>"s...(omitting for brevity)...." 
set :protection, :session => true
# fail:  you need to set up a session middleware *before* Rack::Protection::SessionHijacking

But, the following works:

enable :sessions
set :protection, :session => true

The Sinatra way, enable :sessions, sets up the Rack env 'rack.session' fand rack-protection can see it. The custom way does not set it up by the time rack-protection tries to use it. I checked the source code and the custom Rack session cookie is doing pretty much the same thing that Sinatra is doing. Is this a Sinatra issue?