Sidekiq: Sidekiq web dashboard breaks Rails session?
Rails 4.2.6
Sidekiq 4.1.1
I have mount Sidekiq::Web => "/sidekiq" in my routes
I've been running into this issue (which only happens in production) where whenever I load any page in the Sidekiq web dashboard, my Rails session seems to get stomped, resulting in me being logged out (in my app; there's no auth on the sidekiq dashboard).
I also get the "Forbidden" error whenever I click on something like retrying failed jobs.
My session_store.rb:
MyApp::Application.config.session_store :redis_session_store, {
key: "_myapp_session_#{Rails.env}",
secure: false,
redis: {
db: 1,
key_prefix: "myapp:session:",
host: CONFIG.redis.host,
port: CONFIG.redis.port,
serializer: :hybrid
}
}
I've looked through similar errors in issues now closed and nothing stands out as applying. There was a Rails bug that it seems like Sidekiq now monkeypatches. There was something about an older version of rack-protection, but I'm using the latest (1.5.3), etc. Couldn't find anything applicable in the wiki. The only mention of the "Forbidden" issue in the wiki seems to apply to running in standalone.
Is there some way to figure out why this is happening or a configuration option I'm missing so Sidekiq::Web will play nice with my Rails session?
pbhogan
All 6 comments
Sidekiq does nothing with sessions except require them. If you are having a conflict, it's between Rack, Sinatra and Rails. Nothing Sidekiq can control or fix and since the web side isn't my specialty I don't have any idea what might be wrong.
mperham
on 28 Mar 2016
Make sure you are sharing the same "secret" between Sinatra and Rails. See old session issues for ideas.
mperham
on 28 Mar 2016
After upgrading to 4.1.1 I have a very similar issue. I'm running passenger standalone. I can login fine but when I go to delete/retry/whatever jobs I get the Forbidden message.
For reference my config.ru look similar to this:
require 'sidekiq/web'
Sidekiq::Web.use Rack::Session::Cookie, secret: ENV['RACK_SESSION_COOKIE']
map '/sidekiq' do
use Rack::Auth::Basic, 'Protected Area' do |username, password|
md5_of_password = Digest::MD5.hexdigest(password)
username == 'whatever' && md5_of_password == ENV['SIDEKIQ_HASH']
end
run Sidekiq::Web
end
Would love your thoughts @mperham or @pbhogan if you were able to solve this.
nwhobart
on 4 Apr 2016
I get this intermittently as well on a fairly simple app. Here's a log of it occurring:
Started GET "/sidekiq/stylesheets/bootstrap.css" for 127.0.0.1 at 2017-08-18 15:57:17 -0500
Started GET "/sidekiq/stylesheets/application.css" for 127.0.0.1 at 2017-08-18 15:57:17 -0500
Started GET "/sidekiq/javascripts/application.js" for 127.0.0.1 at 2017-08-18 15:57:17 -0500
Started GET "/users/sign_in" for 127.0.0.1 at 2017-08-18 15:57:17 -0500
Processing by Devise::SessionsController#new as HTML
Rendering devise/sessions/new.html.erb within layouts/application
Rendered devise/sessions/new.html.erb within layouts/application (11.3ms)
Completed 200 OK in 68ms (Views: 65.0ms | ActiveRecord: 0.0ms)
Started GET "/users/sign_in" for 127.0.0.1 at 2017-08-18 15:57:17 -0500
Processing by Devise::SessionsController#new as HTML
Rendering devise/sessions/new.html.erb within layouts/application
Rendered devise/sessions/new.html.erb within layouts/application (1.7ms)
Completed 200 OK in 38ms (Views: 35.3ms | ActiveRecord: 0.0ms)
Started GET "/users/sign_in" for 127.0.0.1 at 2017-08-18 15:57:17 -0500
Processing by Devise::SessionsController#new as */*
Rendering devise/sessions/new.html.erb within layouts/application
Rendered devise/sessions/new.html.erb within layouts/application (1.5ms)
Completed 200 OK in 45ms (Views: 42.0ms | ActiveRecord: 0.0ms)
This is especially odd considering:
- The initial request is handled fine and HTML is rendered as expected
- Subsequent requests to assets are redirected to an HTML page (by Devise, presumably)
My routes for Sidekiq are pretty vanilla:
if Rails.env.development?
authenticate :user do
mount Sidekiq::Web => "/sidekiq"
end
end
coreyward
on 18 Aug 2017
I'm having a related problem, the reason this was happening for me was that I configured the rails session store to use :cookie_store, and the :domain-option is configured to :all. That means that the cookie domain of the session cookie is .example.com instead of www.example.com.
However, whenever I visit the sidekiq web interface, another session cookie is added with domain www.example.com. Now I have two conflicting session cookies, and that throws rails off - I guess one session cookie shadows the other, or something like that. I guess this is happening because rails' cookie store is somehow picking up options from Rack::Session::Cookie.
My solution was to put the following in an initializer:
require "sidekiq/web"
Sidekiq::Web.set(:sessions, { domain: ".example.com" })
When I set the domain for sidekiq (and in turn Rack::Session::Cookie), the session cookie of rails also uses that domain, and I get no conflicting session cookies. Just leaving this here in case someone is having the same problem, and doesn't want to disable CSRF for sidekiq.
Not entirely sure if this is a bug in rails, or intended behavior.
Rails version 5.0.4, sidekiq version 4.2.10
fschwahn
on 14 Sep 2017
Thanks @fschwahn !
Your suggestion led me to a more comprehensive discussion about this issue at https://github.com/redis-store/redis-rails/issues/34
emirkin
on 20 Jan 2018
Related issues
fatcatt316
路
4Comments
andrewhavens
路
4Comments
agrobbin
路
4Comments
davidcelis
路
3Comments
mperham
路
3Comments
Most helpful comment
Thanks @fschwahn !
Your suggestion led me to a more comprehensive discussion about this issue at https://github.com/redis-store/redis-rails/issues/34