Merge branch 'sh-disable-sidekiq-session' into 'master'

Disable the Sidekiq Admin Rack session See merge request gitlab-org/gitlab-ce!21441

Merge branch 'sh-disable-sidekiq-session' into 'master'
Disable the Sidekiq Admin Rack session See merge request gitlab-org/gitlab-ce!21441
61ffa04d · Sean McGivern · de4c76bb · 4442972b · 61ffa04d · 61ffa04d
Commit 61ffa04d authored Sep 03, 2018 by Sean McGivern
Showing with 11 additions and 0 deletions

changelogs/unreleased/sh-disable-sidekiq-session.yml changelogs/unreleased/sh-disable-sidekiq-session.yml +5 -0

config/initializers/sidekiq.rb config/initializers/sidekiq.rb +6 -0

No files found.
--- a/changelogs/unreleased/sh-disable-sidekiq-session.yml
+++ b/changelogs/unreleased/sh-disable-sidekiq-session.yml
+---
+title: Disable the Sidekiq Admin Rack session
+merge_request: 21441
+author:
+type: security
--- a/config/initializers/sidekiq.rb
+++ b/config/initializers/sidekiq.rb
+require 'sidekiq/web'
+
+# Disable the Sidekiq Rack session since GitLab already has its own session store.
+# CSRF protection still works (https://github.com/mperham/sidekiq/commit/315504e766c4fd88a29b7772169060afc4c40329).
+Sidekiq::Web.set :sessions, false
+
 # Custom Queues configuration
 queues_config_hash = Gitlab::Redis::Queues.params
 queues_config_hash[:namespace] = Gitlab::Redis::Queues::SIDEKIQ_NAMESPACE