Disable the Sidekiq Admin Rack session

GitLab already has its own session store, so this extra Sidekiq session is unnecessary. In addition, the GitLab session store properly sets the Secure flag, unlike the default Rack session. CSRF protection in the Sidekiq /admin page continues to work with the existing GitLab session. See https://github.com/mperham/sidekiq/pull/3183 for more details. Part of #49120

Disable the Sidekiq Admin Rack session
GitLab already has its own session store, so this extra Sidekiq session is unnecessary. In addition, the GitLab session store properly sets the Secure flag, unlike the default Rack session. CSRF protection in the Sidekiq /admin page continues to work with the existing GitLab session. See https://github.com/mperham/sidekiq/pull/3183 for more details. Part of #49120
4442972b · Stan Hu · 472f2d56 · 4442972b · 4442972b
Commit 4442972b authored Aug 30, 2018 by Stan Hu
Showing with 11 additions and 0 deletions

changelogs/unreleased/sh-disable-sidekiq-session.yml changelogs/unreleased/sh-disable-sidekiq-session.yml +5 -0

config/initializers/sidekiq.rb config/initializers/sidekiq.rb +6 -0

No files found.
--- a/changelogs/unreleased/sh-disable-sidekiq-session.yml
+++ b/changelogs/unreleased/sh-disable-sidekiq-session.yml
+---
+title: Disable the Sidekiq Admin Rack session
+merge_request: 21441
+author:
+type: security
--- a/config/initializers/sidekiq.rb
+++ b/config/initializers/sidekiq.rb
+require 'sidekiq/web'
+
+# Disable the Sidekiq Rack session since GitLab already has its own session store.
+# CSRF protection still works (https://github.com/mperham/sidekiq/commit/315504e766c4fd88a29b7772169060afc4c40329).
+Sidekiq::Web.set :sessions, false
+
 # Custom Queues configuration
 queues_config_hash = Gitlab::Redis::Queues.params
 queues_config_hash[:namespace] = Gitlab::Redis::Queues::SIDEKIQ_NAMESPACE