Sidekiq web messes up user sessions

[heaven]

Ruby version: 2.3.1
Sidekiq / Pro / Enterprise version(s): 4.2.9

Our app is running on a subdomain, like "sub.domain.com". We have sessions configured to be shared across all subdomains:

Carmen::Application.config.session_store :active_record_store,
  key: "_wego#{"_#{Rails.env}" unless Rails.env.production?}_session", :domain => :all

After accessing the app a session is created and stored for ".domain.com". But after accessing "/sidekiq" another session appears in cookies for "sub.domain.com", which breaks the app, log out and a few other things.

[badosu]

Hello @heaven,

When mounting the Sidekiq::Web middleware, could you try setting up the Session options manually?

E.G.

app = Sidekiq::Web.new

app.use Rack::Session::Cookie, options

See this page on how to configure it. Do not forget to pass app instead of Sidekiq::Web to mount.

PS: It seems that it's possible to pass the session options with: Sidekiq::Web.set :sessions, opts, maintaining your mounting code, @mperham might have more info on this.

[heaven]

I can but it anyway then runs Sidekiq::Web#build_sessions which inserts ::Rack::Session::Cookie to middlewares array.

[badosu]

@heaven This is weird, as build_sessions checks if there's an already mounted middleware or the sessions option as seen here.

Would you mind posting your code that mounts the middleware?

[heaven]

It does, but it also performs a few other actions that I don't completely understand so I have to copy a decent part of this method. Is there a way to copy application settings inside build_sessions?

[badosu]

@heaven I can't know the context of your question without seeing the changes you are performing.

There should be no reason you'd need to inspect how Sidekiq::Web is mouting it's internal middlewares unless you require a specific use case.

The only two middlewares loaded by default are Rack::Protection and Rack::Session::Cookie. This is what build_sessions does, and only loaded if you did not load them previously with your own settings via Sidekiq::Web.use Middleware, opts.

You could try using the Sidekiq::Web.set :sessions, opts method as well.

Don't forget that these options should be supplied before mounting the Sidekiq::Web middleware or else they won't have any effect.

[heaven]

@badosu this worked, thanks:

Sidekiq::Web.set :sessions, { domain: ".domain.com" }

Was wondering if this could be detected in Sidekiq, from the :domain option that I pass in session_store.rb

[badosu]

@heaven Glad it worked!

AFAIK Sidekiq Web is totally agnostic of the framework you're using as long as it's a Rack application.

[dbalatero]

@heaven I found another solution to this, in case anyone else is Googling:

config/initializers/session_store.rb

require 'sidekiq/web'

Rails.application.config.session_store :active_record_store,
  key: '_my_session_key'

# Turn off Sinatra's sessions, which overwrite the main Rails app's session
# after the first request
Sidekiq::Web.disable(:sessions)

lib/admin_constraint.rb

class AdminConstraint
  def matches?(request)
    user = request.env['warden'].user(:user)
    user && user.admin?
  end
end

config/routes.rb

constraints AdminConstraint.new do
  mount Sidekiq::Web => '/admin/sidekiq'
end