kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Disable the Sidekiq Admin Rack session

Browse source 
GitLab already has its own session store, so this extra Sidekiq session is
unnecessary.  In addition, the GitLab session store properly sets the Secure
flag, unlike the default Rack session.

CSRF protection in the Sidekiq /admin page continues to work with the existing
GitLab session.

See https://github.com/mperham/sidekiq/pull/3183 for more details.

Part of #49120
This commit is contained in:
Stan Hu 2018-08-30 12:35:32 -07:00
parent 472f2d5666
commit 4442972b06
2 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
changelogs/unreleased/sh-disable-sidekiq-session.yml Normal file
View file

@ -0,0 +1,5 @@
---
title: Disable the Sidekiq Admin Rack session
merge_request: 21441
author:
type: security

6
config/initializers/sidekiq.rb
View file

@ -1,3 +1,9 @@
require 'sidekiq/web'
# Disable the Sidekiq Rack session since GitLab already has its own session store.
# CSRF protection still works (https://github.com/mperham/sidekiq/commit/315504e766c4fd88a29b7772169060afc4c40329).
Sidekiq::Web.set :sessions, false
# Custom Queues configuration
queues_config_hash = Gitlab::Redis::Queues.params
queues_config_hash[:namespace] = Gitlab::Redis::Queues::SIDEKIQ_NAMESPACE