From 73f29f67e12dcf8c193ae73f008fcd79aae4a24b Mon Sep 17 00:00:00 2001 From: Mike Perham Date: Sun, 31 Jan 2021 12:28:24 -0800 Subject: [PATCH 1/7] Simplify Web UI sessions Remove all of the hacks and support infrastructure around Rack sessions. Rails provides this by default so we don't need it for 90% of users. The other 10% should know and provide a Rack session. This is a big change and has the potential to break many installs. It will be part of the 7.0 major version bump and require a lengthy beta period to ensure we document as many edge cases and solutions as possible. See also #4671, #4728 and many others. --- 7.0-Upgrade.md | 49 ++++++++++++++++++++++ lib/sidekiq/web.rb | 60 ++++++++++----------------- lib/sidekiq/web/csrf_protection.rb | 16 +++++++- myapp/simple.ru | 7 ++++ test/test_web.rb | 65 ------------------------------ 5 files changed, 93 insertions(+), 104 deletions(-) create mode 100644 7.0-Upgrade.md diff --git a/7.0-Upgrade.md b/7.0-Upgrade.md new file mode 100644 index 000000000..75845f08c --- /dev/null +++ b/7.0-Upgrade.md @@ -0,0 +1,49 @@ +# Welcome to Sidekiq 7.0 + + +## Web UI Sessions + +One focus of this major version upgrade is a refactoring of the Web UI +in order to simplify and integrate better with Rails and Rack sessions. +The most frustrating support and user pain point has been debugging problems with +the Web UI's use of Rack sessions. + +Previously Sidekiq::Web would provide a basic cookie session if not +configured but this often collided with the Rails session. Starting in +7.0, Sidekiq will not provide a session. The application developer must +provide a session somehow. Here's the main ways: + +### Rails + +Mount Sidekiq::Web within the application's routes in `config/routes.rb`. +Rails already provides a session to anything mounted within it. + +```ruby +Rails.application.routes.draw do + mount Sidekiq::Web => "/sidekiq" + .... +end +``` + +### Rack + +If you are not running Rails but mounting Sidekiq::Web as a basic Rack +app, first create a shared secret key in IRB: + +```ruby +require 'securerandom' +secret_key = SecureRandom.hex(32) +File.open(".secret.key", "w") {|f| f.write(secret_key) } +``` + +And then configure your session middleware to use that secret: + +```ruby +use Rack::Session::Cookie, secret: File.read(".secret.key") +run Sidekiq::Web +``` + +This is similar to how Rails puts its secret_key in `config/initializers/secret_token.rb` +so all Rails processes can share the same key. The session cookies will +be encrypted with that secret so no one can read them but your app code. +See the [Rack::Session::Cookie RDoc](https://www.rubydoc.info/gems/rack/Rack/Session/Cookie) for more options. diff --git a/lib/sidekiq/web.rb b/lib/sidekiq/web.rb index 864aca78b..4644ea902 100644 --- a/lib/sidekiq/web.rb +++ b/lib/sidekiq/web.rb @@ -78,15 +78,27 @@ def set(attribute, value) send(:"#{attribute}=", value) end - attr_accessor :app_url, :session_secret, :redis_pool, :sessions + def sessions=(val) + raise <<~EOM + Warning: disabling sessions opens your Sidekiq UI up to CSRF attacks. You may + disable them by setting `SIDEKIQ_DISABLE_SESSIONS_THIS_IS_A_BAD_IDEA=true`. + EOM + end + + def session_secret=(val) + raise <<~EOM + Sidekiq no longer allows setting the session secret directly. Either configure + your session middleware directly or allow Sidekiq to reuse the Rails session. + EOM + end + + attr_accessor :app_url, :redis_pool attr_writer :locales, :views end def self.inherited(child) child.app_url = app_url - child.session_secret = session_secret child.redis_pool = redis_pool - child.sessions = sessions end def settings @@ -126,18 +138,11 @@ def set(attribute, value) send(:"#{attribute}=", value) end - # Default values - set :sessions, true - - attr_writer :sessions - - def sessions - unless instance_variable_defined?("@sessions") - @sessions = self.class.sessions - @sessions = @sessions.to_hash.dup if @sessions.respond_to?(:to_hash) - end - - @sessions + def sessions=(val) + raise <<~EOM + Sidekiq no longer allows configuring the session via Sidekiq::Web. Either configure + your session middleware directly or allow Sidekiq to reuse the Rails session. + EOM end def self.register(extension) @@ -153,33 +158,12 @@ def using?(middleware) end def build_sessions - middlewares = self.middlewares - - s = sessions + disable_sessions = ENV["SIDEKIQ_DISABLE_SESSIONS_THIS_IS_A_BAD_IDEA"] == "true" || ENV["RACK_ENV"] == "test" # turn on CSRF protection if sessions are enabled and this is not the test env - if s && !using?(CsrfProtection) && ENV["RACK_ENV"] != "test" + unless disable_sessions || using?(CsrfProtection) middlewares.unshift [[CsrfProtection], nil] end - - if s && !using?(::Rack::Session::Cookie) - unless (secret = Web.session_secret) - require "securerandom" - secret = SecureRandom.hex(64) - end - - options = {secret: secret} - options = options.merge(s.to_hash) if s.respond_to? :to_hash - - middlewares.unshift [[::Rack::Session::Cookie, options], nil] - end - - # Since Sidekiq::WebApplication no longer calculates its own - # Content-Length response header, we must ensure that the Rack middleware - # that does this is loaded - unless using? ::Rack::ContentLength - middlewares.unshift [[::Rack::ContentLength], nil] - end end def build diff --git a/lib/sidekiq/web/csrf_protection.rb b/lib/sidekiq/web/csrf_protection.rb index f847abc11..ab8f32b17 100644 --- a/lib/sidekiq/web/csrf_protection.rb +++ b/lib/sidekiq/web/csrf_protection.rb @@ -66,7 +66,21 @@ def deny(env) end def session(env) - env["rack.session"] || fail("you need to set up a session middleware *before* #{self.class}") + env["rack.session"] || fail(<<~EOM) + Sidekiq::Web needs a valid Rack session to work. If this is a Rails app, + make sure you mount Sidekiq::Web *inside* your application routes: + + Rails.application.routes.draw do + mount Sidekiq::Web => "/sidekiq" + .... + end + + If this is a bare Rack app, use a session middleware before Sidekiq::Web: + + secret_key = SecureRandom.hex(32) + use Rack::Session::Cookie, secret: secret_key + run Sidekiq::Web + EOM end def accept?(env) diff --git a/myapp/simple.ru b/myapp/simple.ru index 9bae9a0c5..3a00f1c59 100644 --- a/myapp/simple.ru +++ b/myapp/simple.ru @@ -11,4 +11,11 @@ end Sidekiq::Client.push('class' => "HardWorker", 'args' => []) require 'sidekiq/web' + +# In a multi-process deployment, all Web UI instances should share +# this secret key so they can all decode the encrypted browser cookies +# and provide a working session. +# Rails does this in /config/initializers/secret_token.rb +secret_key = SecureRandom.hex(32) +use Rack::Session::Cookie, secret: secret_key run Sidekiq::Web diff --git a/test/test_web.rb b/test/test_web.rb index 8d3c90b51..e5280480d 100644 --- a/test/test_web.rb +++ b/test/test_web.rb @@ -30,11 +30,6 @@ def perform(a, b) end end - it 'can configure via set() syntax' do - app.set(:session_secret, "foo") - assert_equal "foo", app.session_secret - end - it 'can show text with any locales' do rackenv = {'HTTP_ACCEPT_LANGUAGE' => 'ru,en'} get '/', {}, rackenv @@ -780,66 +775,6 @@ def app assert_equal 'v3rys3cr31', session_options[:secret] assert_equal 'nicehost.org', session_options[:host] end - - describe 'sessions options' do - include Rack::Test::Methods - - describe 'using #disable' do - def app - app = Sidekiq::Web.new - app.disable(:sessions) - app - end - - it "doesn't create sessions" do - get '/' - assert_nil last_request.env['rack.session'] - end - end - - describe 'using #set with false argument' do - def app - app = Sidekiq::Web.new - app.set(:sessions, false) - app - end - - it "doesn't create sessions" do - get '/' - assert_nil last_request.env['rack.session'] - end - end - - describe 'using #set with an hash' do - def app - app = Sidekiq::Web.new - app.set(:sessions, { domain: :all }) - app - end - - it "creates sessions" do - get '/' - refute_nil last_request.env['rack.session'] - refute_empty last_request.env['rack.session'].options - assert_equal :all, last_request.env['rack.session'].options[:domain] - end - end - - describe 'using #enable' do - def app - app = Sidekiq::Web.new - app.enable(:sessions) - app - end - - it "creates sessions" do - get '/' - refute_nil last_request.env['rack.session'] - refute_empty last_request.env['rack.session'].options - refute_nil last_request.env['rack.session'].options[:secret] - end - end - end end describe "redirecting in before" do From 7b83694fed091ec430e84ee2bfb23441a9b6a17e Mon Sep 17 00:00:00 2001 From: Mike Perham Date: Mon, 8 Feb 2021 20:43:54 -0800 Subject: [PATCH 2/7] Support HEAD method for root * Remove HEAD aliases which don't work * Add simplest possible heartbeat HEAD which returns 200 or 500. --- lib/sidekiq/web/application.rb | 7 +++++++ lib/sidekiq/web/router.rb | 5 ++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/sidekiq/web/application.rb b/lib/sidekiq/web/application.rb index 251b4d265..31b620007 100644 --- a/lib/sidekiq/web/application.rb +++ b/lib/sidekiq/web/application.rb @@ -42,6 +42,13 @@ def self.set(key, val) # nothing, backwards compatibility end + head "/" do + # HEAD / is the cheapest heartbeat possible, + # it hits Redis to ensure connectivity + Sidekiq.redis {|c| c.llen("queue:default") } + "" + end + get "/" do @redis_info = redis_info.select { |k, v| REDIS_KEYS.include? k } stats_history = Sidekiq::Stats::History.new((params["days"] || 30).to_i) diff --git a/lib/sidekiq/web/router.rb b/lib/sidekiq/web/router.rb index efd9ff1ab..34d586ead 100644 --- a/lib/sidekiq/web/router.rb +++ b/lib/sidekiq/web/router.rb @@ -15,6 +15,10 @@ module WebRouter REQUEST_METHOD = "REQUEST_METHOD" PATH_INFO = "PATH_INFO" + def head(path, &block) + route(HEAD, path, &block) + end + def get(path, &block) route(GET, path, &block) end @@ -39,7 +43,6 @@ def route(method, path, &block) @routes ||= {GET => [], POST => [], PUT => [], PATCH => [], DELETE => [], HEAD => []} @routes[method] << WebRoute.new(method, path, block) - @routes[HEAD] << WebRoute.new(method, path, block) if method == GET end def match(env) From 58746ef19429c545ecd4f3fc1d78f0390c69d381 Mon Sep 17 00:00:00 2001 From: Mike Perham Date: Tue, 9 Feb 2021 12:30:55 -0800 Subject: [PATCH 3/7] Refactor Web UI session usage --- 7.0-Upgrade.md | 49 --------------- Changes.md | 29 ++++++++- lib/sidekiq/web.rb | 60 +++++-------------- lib/sidekiq/web/application.rb | 3 +- lib/sidekiq/web/csrf_protection.rb | 13 +++- .../db/migrate/20120123214055_create_posts.rb | 2 +- myapp/simple.ru | 6 +- test/test_web.rb | 10 ++-- 8 files changed, 63 insertions(+), 109 deletions(-) delete mode 100644 7.0-Upgrade.md diff --git a/7.0-Upgrade.md b/7.0-Upgrade.md deleted file mode 100644 index 75845f08c..000000000 --- a/7.0-Upgrade.md +++ /dev/null @@ -1,49 +0,0 @@ -# Welcome to Sidekiq 7.0 - - -## Web UI Sessions - -One focus of this major version upgrade is a refactoring of the Web UI -in order to simplify and integrate better with Rails and Rack sessions. -The most frustrating support and user pain point has been debugging problems with -the Web UI's use of Rack sessions. - -Previously Sidekiq::Web would provide a basic cookie session if not -configured but this often collided with the Rails session. Starting in -7.0, Sidekiq will not provide a session. The application developer must -provide a session somehow. Here's the main ways: - -### Rails - -Mount Sidekiq::Web within the application's routes in `config/routes.rb`. -Rails already provides a session to anything mounted within it. - -```ruby -Rails.application.routes.draw do - mount Sidekiq::Web => "/sidekiq" - .... -end -``` - -### Rack - -If you are not running Rails but mounting Sidekiq::Web as a basic Rack -app, first create a shared secret key in IRB: - -```ruby -require 'securerandom' -secret_key = SecureRandom.hex(32) -File.open(".secret.key", "w") {|f| f.write(secret_key) } -``` - -And then configure your session middleware to use that secret: - -```ruby -use Rack::Session::Cookie, secret: File.read(".secret.key") -run Sidekiq::Web -``` - -This is similar to how Rails puts its secret_key in `config/initializers/secret_token.rb` -so all Rails processes can share the same key. The session cookies will -be encrypted with that secret so no one can read them but your app code. -See the [Rack::Session::Cookie RDoc](https://www.rubydoc.info/gems/rack/Rack/Session/Cookie) for more options. diff --git a/Changes.md b/Changes.md index 8ad2923d1..123ac3e1b 100644 --- a/Changes.md +++ b/Changes.md @@ -2,7 +2,34 @@ [Sidekiq Changes](https://github.com/mperham/sidekiq/blob/master/Changes.md) | [Sidekiq Pro Changes](https://github.com/mperham/sidekiq/blob/master/Pro-Changes.md) | [Sidekiq Enterprise Changes](https://github.com/mperham/sidekiq/blob/master/Ent-Changes.md) -6.1.3 +HEAD +--------- + +- Refactor Web UI session usage. + Numerous people have hit "Forbidden" errors and struggled with Sidekiq's + Web UI session requirement. If you have code in your initializer for + Web sessions, it's quite possible it will need to be removed. Here's + an overview: +``` + Sidekiq::Web needs a valid Rack session for CSRF protection. If this is a Rails app, + make sure you mount Sidekiq::Web *inside* your routes in `config/routes.rb`: + + Rails.application.routes.draw do + mount Sidekiq::Web => "/sidekiq" + .... + end + + If this is a bare Rack app, use a session middleware before Sidekiq::Web: + + # first, use IRB to create a shared secret key for sessions and commit it + require 'securerandom'; File.open(".session.key", "w") {|f| f.write(SecureRandom.hex(32)) } + + # now, update your Rack app to include the secret with a session cookie middleware + use Rack::Session::Cookie, secret: File.read(".session.key"), same_site: true, max_age: 86400 + run Sidekiq::Web +``` + + 6.1.3 --------- - Warn if Redis is configured to evict data under memory pressure [#4752] diff --git a/lib/sidekiq/web.rb b/lib/sidekiq/web.rb index 4644ea902..4fb641f15 100644 --- a/lib/sidekiq/web.rb +++ b/lib/sidekiq/web.rb @@ -13,10 +13,8 @@ require "sidekiq/web/csrf_protection" require "rack/content_length" - require "rack/builder" require "rack/file" -require "rack/session/cookie" module Sidekiq class Web @@ -40,14 +38,6 @@ def settings self end - def middlewares - @middlewares ||= [] - end - - def use(*middleware_args, &block) - middlewares << [middleware_args, block] - end - def default_tabs DEFAULT_TABS end @@ -73,23 +63,16 @@ def disable(*opts) opts.each { |key| set(key, false) } end - # Helper for the Sinatra syntax: Sidekiq::Web.set(:session_secret, Rails.application.secrets...) def set(attribute, value) send(:"#{attribute}=", value) end def sessions=(val) - raise <<~EOM - Warning: disabling sessions opens your Sidekiq UI up to CSRF attacks. You may - disable them by setting `SIDEKIQ_DISABLE_SESSIONS_THIS_IS_A_BAD_IDEA=true`. - EOM + puts "Sidekiq::Web.sessions= is no longer relevant and will be removed in Sidekiq 7.0. #{caller[2..2].first}" end def session_secret=(val) - raise <<~EOM - Sidekiq no longer allows setting the session secret directly. Either configure - your session middleware directly or allow Sidekiq to reuse the Rails session. - EOM + puts "Sidekiq::Web.session_secret= is no longer relevant and will be removed in Sidekiq 7.0. #{caller[2..2].first}" end attr_accessor :app_url, :redis_pool @@ -105,12 +88,12 @@ def settings self.class.settings end - def use(*middleware_args, &block) - middlewares << [middleware_args, block] + def middlewares + @middlewares ||= [] end - def middlewares - @middlewares ||= Web.middlewares.dup + def use(*args, &block) + middlewares << [args, block] end def call(env) @@ -139,38 +122,25 @@ def set(attribute, value) end def sessions=(val) - raise <<~EOM - Sidekiq no longer allows configuring the session via Sidekiq::Web. Either configure - your session middleware directly or allow Sidekiq to reuse the Rails session. - EOM + puts "Sidekiq::Web#sessions= is no longer relevant and will be removed in Sidekiq 7.0. #{caller[2..2].first}" end def self.register(extension) extension.registered(WebApplication) end - private - - def using?(middleware) - middlewares.any? do |(m, _)| - m.is_a?(Array) && (m[0] == middleware || m[0].is_a?(middleware)) - end + def default_middlewares + @default ||= [ + [[Sidekiq::Web::CsrfProtection]], + [[Rack::ContentLength]] + ] end - def build_sessions - disable_sessions = ENV["SIDEKIQ_DISABLE_SESSIONS_THIS_IS_A_BAD_IDEA"] == "true" || ENV["RACK_ENV"] == "test" - - # turn on CSRF protection if sessions are enabled and this is not the test env - unless disable_sessions || using?(CsrfProtection) - middlewares.unshift [[CsrfProtection], nil] - end - end + private def build - build_sessions - - middlewares = self.middlewares klass = self.class + m = middlewares + default_middlewares ::Rack::Builder.new do %w[stylesheets javascripts images].each do |asset_dir| @@ -179,7 +149,7 @@ def build end end - middlewares.each { |middleware, block| use(*middleware, &block) } + m.each { |middleware, block| use(*middleware, &block) } run WebApplication.new(klass) end diff --git a/lib/sidekiq/web/application.rb b/lib/sidekiq/web/application.rb index 31b620007..37b610f6b 100644 --- a/lib/sidekiq/web/application.rb +++ b/lib/sidekiq/web/application.rb @@ -4,7 +4,6 @@ module Sidekiq class WebApplication extend WebRouter - CONTENT_LENGTH = "Content-Length" REDIS_KEYS = %w[redis_version uptime_in_days connected_clients used_memory_human used_memory_peak_human] CSP_HEADER = [ "default-src 'self' https: http:", @@ -45,7 +44,7 @@ def self.set(key, val) head "/" do # HEAD / is the cheapest heartbeat possible, # it hits Redis to ensure connectivity - Sidekiq.redis {|c| c.llen("queue:default") } + Sidekiq.redis { |c| c.llen("queue:default") } "" end diff --git a/lib/sidekiq/web/csrf_protection.rb b/lib/sidekiq/web/csrf_protection.rb index ab8f32b17..59a52ce71 100644 --- a/lib/sidekiq/web/csrf_protection.rb +++ b/lib/sidekiq/web/csrf_protection.rb @@ -67,18 +67,25 @@ def deny(env) def session(env) env["rack.session"] || fail(<<~EOM) - Sidekiq::Web needs a valid Rack session to work. If this is a Rails app, + Sidekiq::Web needs a valid Rack session for CSRF protection. If this is a Rails app, make sure you mount Sidekiq::Web *inside* your application routes: + Rails.application.routes.draw do mount Sidekiq::Web => "/sidekiq" .... end + If this is a bare Rack app, use a session middleware before Sidekiq::Web: - secret_key = SecureRandom.hex(32) - use Rack::Session::Cookie, secret: secret_key + + # first, use IRB to create a shared secret key for sessions and commit it + require 'securerandom'; File.open(".session.key", "w") {|f| f.write(SecureRandom.hex(32)) } + + + # now use the secret with a session cookie middleware + use Rack::Session::Cookie, secret: File.read(".session.key"), same_site: true, max_age: 86400 run Sidekiq::Web EOM end diff --git a/myapp/db/migrate/20120123214055_create_posts.rb b/myapp/db/migrate/20120123214055_create_posts.rb index e97a6e03b..ca4238157 100644 --- a/myapp/db/migrate/20120123214055_create_posts.rb +++ b/myapp/db/migrate/20120123214055_create_posts.rb @@ -1,4 +1,4 @@ -class CreatePosts < ActiveRecord::Migration +class CreatePosts < ActiveRecord::Migration[6.0] def change create_table :posts do |t| t.string :title diff --git a/myapp/simple.ru b/myapp/simple.ru index 3a00f1c59..8e0074711 100644 --- a/myapp/simple.ru +++ b/myapp/simple.ru @@ -1,7 +1,7 @@ # Easiest way to run Sidekiq::Web. # Run with "bundle exec rackup simple.ru" -require 'sidekiq' +require 'sidekiq/web' # A Web process always runs as client, no need to configure server Sidekiq.configure_client do |config| @@ -10,12 +10,10 @@ end Sidekiq::Client.push('class' => "HardWorker", 'args' => []) -require 'sidekiq/web' - # In a multi-process deployment, all Web UI instances should share # this secret key so they can all decode the encrypted browser cookies # and provide a working session. # Rails does this in /config/initializers/secret_token.rb secret_key = SecureRandom.hex(32) -use Rack::Session::Cookie, secret: secret_key +use Rack::Session::Cookie, secret: secret_key, same_site: true, max_age: 86400 run Sidekiq::Web diff --git a/test/test_web.rb b/test/test_web.rb index e5280480d..782ce304c 100644 --- a/test/test_web.rb +++ b/test/test_web.rb @@ -9,7 +9,7 @@ include Rack::Test::Methods def app - Sidekiq::Web + @app ||= Sidekiq::Web.new end def job_params(job, score) @@ -17,9 +17,8 @@ def job_params(job, score) end before do - ENV["RACK_ENV"] = "test" Sidekiq.redis {|c| c.flushdb } - Sidekiq::Web.middlewares.clear + app.default_middleware.clear end class WebWorker @@ -738,6 +737,7 @@ def add_worker def app app = Sidekiq::Web.new app.use(Rack::Auth::Basic) { |user, pass| user == "a" && pass == "b" } + app.use(Rack::Session::Cookie, secret: SecureRandom.hex(32)) app end @@ -792,7 +792,9 @@ def app end def app - Sidekiq::Web.new + app = Sidekiq::Web.new + app.use Rack::Session::Cookie, secret: 'v3rys3cr31', host: 'nicehost.org' + app end it "allows afters to run" do From dda6c0eef20ecfbffeb3ee59ef72e99c4c28ce5f Mon Sep 17 00:00:00 2001 From: Mike Perham Date: Tue, 9 Feb 2021 12:46:59 -0800 Subject: [PATCH 4/7] oops --- test/test_web.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/test_web.rb b/test/test_web.rb index 782ce304c..69f7c58a6 100644 --- a/test/test_web.rb +++ b/test/test_web.rb @@ -18,7 +18,7 @@ def job_params(job, score) before do Sidekiq.redis {|c| c.flushdb } - app.default_middleware.clear + app.default_middlewares.clear end class WebWorker From 05142be1e0c07fd6f2827ed17ab113c0ad690f21 Mon Sep 17 00:00:00 2001 From: Mike Perham Date: Fri, 12 Feb 2021 14:43:25 -0800 Subject: [PATCH 5/7] Polish --- Changes.md | 7 ++++--- lib/sidekiq/version.rb | 2 +- lib/sidekiq/web.rb | 4 ++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/Changes.md b/Changes.md index 123ac3e1b..86cfd0cd3 100644 --- a/Changes.md +++ b/Changes.md @@ -11,15 +11,16 @@ HEAD Web sessions, it's quite possible it will need to be removed. Here's an overview: ``` - Sidekiq::Web needs a valid Rack session for CSRF protection. If this is a Rails app, - make sure you mount Sidekiq::Web *inside* your routes in `config/routes.rb`: +Sidekiq::Web needs a valid Rack session for CSRF protection. If this is a Rails app, +make sure you mount Sidekiq::Web *inside* your routes in `config/routes.rb` so +Sidekiq can reuse the Rails session: Rails.application.routes.draw do mount Sidekiq::Web => "/sidekiq" .... end - If this is a bare Rack app, use a session middleware before Sidekiq::Web: +If this is a bare Rack app, use a session middleware before Sidekiq::Web: # first, use IRB to create a shared secret key for sessions and commit it require 'securerandom'; File.open(".session.key", "w") {|f| f.write(SecureRandom.hex(32)) } diff --git a/lib/sidekiq/version.rb b/lib/sidekiq/version.rb index 78505e7e1..e0f4bc42b 100644 --- a/lib/sidekiq/version.rb +++ b/lib/sidekiq/version.rb @@ -1,5 +1,5 @@ # frozen_string_literal: true module Sidekiq - VERSION = "6.1.3" + VERSION = "6.2.0" end diff --git a/lib/sidekiq/web.rb b/lib/sidekiq/web.rb index 4fb641f15..fff3fa8ef 100644 --- a/lib/sidekiq/web.rb +++ b/lib/sidekiq/web.rb @@ -68,11 +68,11 @@ def set(attribute, value) end def sessions=(val) - puts "Sidekiq::Web.sessions= is no longer relevant and will be removed in Sidekiq 7.0. #{caller[2..2].first}" + puts "WARNING: Sidekiq::Web.sessions= is no longer relevant and will be removed in Sidekiq 7.0. #{caller(1..1).first}" end def session_secret=(val) - puts "Sidekiq::Web.session_secret= is no longer relevant and will be removed in Sidekiq 7.0. #{caller[2..2].first}" + puts "WARNING: Sidekiq::Web.session_secret= is no longer relevant and will be removed in Sidekiq 7.0. #{caller(1..1).first}" end attr_accessor :app_url, :redis_pool From c7cee69d31f1a224fa293f1f0f5f0b646d4497ca Mon Sep 17 00:00:00 2001 From: Mike Perham Date: Fri, 12 Feb 2021 14:44:45 -0800 Subject: [PATCH 6/7] add issue number --- Changes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changes.md b/Changes.md index 86cfd0cd3..e46be3a5d 100644 --- a/Changes.md +++ b/Changes.md @@ -5,7 +5,7 @@ HEAD --------- -- Refactor Web UI session usage. +- Refactor Web UI session usage. [#4804] Numerous people have hit "Forbidden" errors and struggled with Sidekiq's Web UI session requirement. If you have code in your initializer for Web sessions, it's quite possible it will need to be removed. Here's From eca0bd71bb491db95b5acded77c6adeff36f71f8 Mon Sep 17 00:00:00 2001 From: Mike Perham Date: Fri, 12 Feb 2021 14:45:57 -0800 Subject: [PATCH 7/7] Update lock --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 4fc5b655d..b868df523 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -9,7 +9,7 @@ GIT PATH remote: . specs: - sidekiq (6.1.3) + sidekiq (6.2.0) connection_pool (>= 2.2.2) rack (~> 2.0) redis (>= 4.2.0)