Sidekiq: Sidekiq web messes up user sessions
Ruby version: 2.3.1
Sidekiq / Pro / Enterprise version(s): 4.2.9
Our app is running on a subdomain, like "sub.domain.com". We have sessions configured to be shared across all subdomains:
Carmen::Application.config.session_store :active_record_store,
key: "_wego#{"_#{Rails.env}" unless Rails.env.production?}_session", :domain => :all
After accessing the app a session is created and stored for ".domain.com". But after accessing "/sidekiq" another session appears in cookies for "sub.domain.com", which breaks the app, log out and a few other things.
heaven
All 8 comments
Hello @heaven,
When mounting the Sidekiq::Web middleware, could you try setting up the Session options manually?
E.G.
app = Sidekiq::Web.new
app.use Rack::Session::Cookie, options
See this page on how to configure it. Do not forget to pass app instead of Sidekiq::Web to mount.
PS: It seems that it's possible to pass the session options with: Sidekiq::Web.set :sessions, opts, maintaining your mounting code, @mperham might have more info on this.
badosu
on 9 Mar 2017
I can but it anyway then runs Sidekiq::Web#build_sessions which inserts ::Rack::Session::Cookie to middlewares array.
heaven
on 9 Mar 2017
@heaven This is weird, as build_sessions checks if there's an already mounted middleware or the sessions option as seen here.
Would you mind posting your code that mounts the middleware?
badosu
on 9 Mar 2017
It does, but it also performs a few other actions that I don't completely understand so I have to copy a decent part of this method. Is there a way to copy application settings inside build_sessions?
heaven
on 9 Mar 2017
@heaven I can't know the context of your question without seeing the changes you are performing.
There should be no reason you'd need to inspect how Sidekiq::Web is mouting it's internal middlewares unless you require a specific use case.
The only two middlewares loaded by default are Rack::Protection and Rack::Session::Cookie. This is what build_sessions does, and only loaded if you did not load them previously with your own settings via Sidekiq::Web.use Middleware, opts.
You could try using the Sidekiq::Web.set :sessions, opts method as well.
Don't forget that these options should be supplied before mounting the Sidekiq::Web middleware or else they won't have any effect.
badosu
on 9 Mar 2017
@badosu this worked, thanks:
Sidekiq::Web.set :sessions, { domain: ".domain.com" }
Was wondering if this could be detected in Sidekiq, from the :domain option that I pass in session_store.rb
heaven
on 9 Mar 2017
@heaven Glad it worked!
AFAIK Sidekiq Web is totally agnostic of the framework you're using as long as it's a Rack application.
badosu
on 9 Mar 2017
@heaven I found another solution to this, in case anyone else is Googling:
config/initializers/session_store.rb
require 'sidekiq/web'
Rails.application.config.session_store :active_record_store,
key: '_my_session_key'
# Turn off Sinatra's sessions, which overwrite the main Rails app's session
# after the first request
Sidekiq::Web.disable(:sessions)
lib/admin_constraint.rb
class AdminConstraint
def matches?(request)
user = request.env['warden'].user(:user)
user && user.admin?
end
end
config/routes.rb
constraints AdminConstraint.new do
mount Sidekiq::Web => '/admin/sidekiq'
end
dbalatero
on 13 Apr 2018
Related issues
agrobbin
路
4Comments
BeRMaNyA
路
3Comments
rajcybage
路
3Comments
aglushkov
路
3Comments
mperham
路
4Comments
Most helpful comment
@heaven I found another solution to this, in case anyone else is Googling:
config/initializers/session_store.rb
lib/admin_constraint.rb
config/routes.rb