Read more

Rails + Sidekiq::Web: Configuration for wildcard session cookies

Dominik Schöler
October 11, 2017Software engineer at makandra GmbH

When you're using Sidekiq::Web to monitor the Sidekiq status AND have your session cookie configured to a wildcard domain like .example.com, you need to take an additional step to keep your cookies valid.

Issue

Illustration book lover

Growing Rails Applications in Practice

Check out our e-book. Learn to structure large Ruby on Rails codebases with the tools you already know and love.

  • Introduce design conventions for controllers and user-facing models
  • Create a system for growth
  • Build applications to last
Read more Show archive.org snapshot

Sidekiq::Web is mounted into your Rails application and will use the Rails session cookie for protection from CSRF attacs Show archive.org snapshot . While it somehow figures out the cookie name, it does NOT respect cookie configuration like a custom domain.

This leads to duplicate session cookies, e.g. one for "www.example.com" and one for ".example.com". This in turn may break things like logging out. The good news is that only people with access to the Sidekiq::Web monitoring are affected, which are usually not customers.

Solution

You need to manually specify custom cookie configuration for Sidekiq::Web like this:

# config/initializers/sidekiq.rb

require 'sidekiq/web'
Sidekiq::Web.set :sessions, domain: <domain here, e.g. Rails.configuration.x.cookie_domain>
Posted by Dominik Schöler to makandra dev (2017-10-11 11:45)