You are here

Home » API reference » BOTCHA Spam Prevention 6 » botcha.test » BotchaSessionReuseAttackTestCase

function BotchaSessionReuseAttackTestCase::testBotchaSessionReuseAttackDetectionOnLoginForm in BOTCHA Spam Prevention 6

Same name and namespace in other branches
  1. 7 botcha.test \BotchaSessionReuseAttackTestCase::testBotchaSessionReuseAttackDetectionOnLoginForm()

File

./botcha.test, line 965
Tests for BOTCHA module.

Class

BotchaSessionReuseAttackTestCase

Code

function testBotchaSessionReuseAttackDetectionOnLoginForm() {

  // Set BOTCHA on login form.
  botcha_set_form_id_setting('user_login', 'test');

  // Go to log in form.
  $this
    ->drupalGet('user');
  $this
    ->assertBotchaPresence(TRUE);

  // Get form_build_id.
  $form_build_id = $this
    ->getFormBuildIdFromForm();

  // Log in through form.
  $edit = array(
    'name' => $this->normal_user->name,
    'pass' => $this->normal_user->pass_raw,
  );
  $this
    ->drupalPost(NULL, $edit, t('Log in'));
  $this
    ->assertBotchaResponseAccepted();
  $this
    ->assertBotchaPresence(FALSE);

  // If a "log out" link appears on the page, it is almost certainly because
  // the login was successful.
  $pass = $this
    ->assertLink(t('Log out'), 0, t('User %name successfully logged in.', array(
    '%name' => $this->normal_user->name,
  )), t('User login'));

  // Log out again.
  $this
    ->drupalLogout();

  // Try to log in again, reusing the previous BOTCHA session.
  $edit += array(
    'form_build_id' => $form_build_id,
  );
  $this
    ->drupalPost('user', $edit, t('Log in'));

  // BOTCHA session reuse attack should be detected.
  $this
    ->assertBotchaSessionIdReuseAttackDetection();

  // There should be a BOTCHA.
  $this
    ->assertBotchaPresence(TRUE);
}