Read more

Rails + Sidekiq::Web: Configuration for wildcard session cookies

Dominik Schöler
October 11, 2017Software engineer at makandra GmbH

When you're using Sidekiq::Web to monitor the Sidekiq status AND have your session cookie configured to a wildcard domain like .example.com, you need to take an additional step to keep your cookies valid.

Issue

Illustration online protection

Rails professionals since 2007

Our laser focus on a single technology has made us a leader in this space. Need help?

  • We build a solid first version of your product
  • We train your development team
  • We rescue your project in trouble
Read more Show archive.org snapshot

Sidekiq::Web is mounted into your Rails application and will use the Rails session cookie for protection from CSRF attacs Show archive.org snapshot . While it somehow figures out the cookie name, it does NOT respect cookie configuration like a custom domain.

This leads to duplicate session cookies, e.g. one for "www.example.com" and one for ".example.com". This in turn may break things like logging out. The good news is that only people with access to the Sidekiq::Web monitoring are affected, which are usually not customers.

Solution

You need to manually specify custom cookie configuration for Sidekiq::Web like this:

# config/initializers/sidekiq.rb

require 'sidekiq/web'
Sidekiq::Web.set :sessions, domain: <domain here, e.g. Rails.configuration.x.cookie_domain>
Posted by Dominik Schöler to makandra dev (2017-10-11 11:45)