From 3e26e06d06912341c9258cdd235461d196732aee Mon Sep 17 00:00:00 2001
From: Mike Perham <mperham@gmail.com>
Date: Wed, 3 Jun 2020 22:11:53 -0700
Subject: [PATCH] Don't enable CSRF if sessions are disabled

---
 lib/sidekiq/web.rb | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/sidekiq/web.rb b/lib/sidekiq/web.rb
index 9de36231..864aca78 100644
--- a/lib/sidekiq/web.rb
+++ b/lib/sidekiq/web.rb
@@ -155,12 +155,13 @@ module Sidekiq
     def build_sessions
       middlewares = self.middlewares
 
-      unless using?(CsrfProtection) || ENV["RACK_ENV"] == "test"
+      s = sessions
+
+      # turn on CSRF protection if sessions are enabled and this is not the test env
+      if s && !using?(CsrfProtection) && ENV["RACK_ENV"] != "test"
         middlewares.unshift [[CsrfProtection], nil]
       end
 
-      s = sessions
-
       if s && !using?(::Rack::Session::Cookie)
         unless (secret = Web.session_secret)
           require "securerandom"