Add note about sessions and Rails apps in API mode

Changes.md

@@ -6,6 +6,8 @@ HEAD
 ---------
 
 - Update RTT warning logic to handle transient RTT spikes [#4851]
+- Fix very low priority CVE on unescaped queue name [#4852]
+- Add note about sessions and Rails apps in API mode
 
 6.2.0
 ---------
@@ -36,6 +38,10 @@ If this is a bare Rack app, use a session middleware before Sidekiq::Web:
   # now, update your Rack app to include the secret with a session cookie middleware
   use Rack::Session::Cookie, secret: File.read(".session.key"), same_site: true, max_age: 86400
   run Sidekiq::Web
+
+If this is a Rails app in API mode, you need to enable sessions.
+
+  https://guides.rubyonrails.org/api_app.html#using-session-middlewares
 ```
 
 6.1.3

lib/sidekiq/web/csrf_protection.rb

@@ -77,16 +77,19 @@ def session(env)
           end
 
 
-          If this is a bare Rack app, use a session middleware before Sidekiq::Web:
+          If this is a Rails app in API mode, you need to enable sessions.
+
+            https://guides.rubyonrails.org/api_app.html#using-session-middlewares
 
+          If this is a bare Rack app, use a session middleware before Sidekiq::Web:
 
-          # first, use IRB to create a shared secret key for sessions and commit it
-          require 'securerandom'; File.open(".session.key", "w") {|f| f.write(SecureRandom.hex(32)) }
+            # first, use IRB to create a shared secret key for sessions and commit it
+            require 'securerandom'; File.open(".session.key", "w") {|f| f.write(SecureRandom.hex(32)) }
 
+            # now use the secret with a session cookie middleware
+            use Rack::Session::Cookie, secret: File.read(".session.key"), same_site: true, max_age: 86400
+            run Sidekiq::Web
 
-          # now use the secret with a session cookie middleware
-          use Rack::Session::Cookie, secret: File.read(".session.key"), same_site: true, max_age: 86400
-          run Sidekiq::Web
         EOM
       end