summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--changelogs/unreleased/sh-disable-sidekiq-session.yml5
-rw-r--r--config/initializers/sidekiq.rb6
2 files changed, 11 insertions, 0 deletions
diff --git a/changelogs/unreleased/sh-disable-sidekiq-session.yml b/changelogs/unreleased/sh-disable-sidekiq-session.yml
new file mode 100644
index 00000000000..d018bbed841
--- /dev/null
+++ b/changelogs/unreleased/sh-disable-sidekiq-session.yml
@@ -0,0 +1,5 @@
+---
+title: Disable the Sidekiq Admin Rack session
+merge_request: 21441
+author:
+type: security
diff --git a/config/initializers/sidekiq.rb b/config/initializers/sidekiq.rb
index 6f54bee4713..476eaabfed8 100644
--- a/config/initializers/sidekiq.rb
+++ b/config/initializers/sidekiq.rb
@@ -1,3 +1,9 @@
+require 'sidekiq/web'
+
+# Disable the Sidekiq Rack session since GitLab already has its own session store.
+# CSRF protection still works (https://github.com/mperham/sidekiq/commit/315504e766c4fd88a29b7772169060afc4c40329).
+Sidekiq::Web.set :sessions, false
+
# Custom Queues configuration
queues_config_hash = Gitlab::Redis::Queues.params
queues_config_hash[:namespace] = Gitlab::Redis::Queues::SIDEKIQ_NAMESPACE