function CaptchaSessionReuseAttackTestCase::testCaptchaSessionReuseAttackDetectionOnLoginForm in CAPTCHA 7

Same name and namespace in other branches

1. 6.2 captcha.test \CaptchaSessionReuseAttackTestCase::testCaptchaSessionReuseAttackDetectionOnLoginForm()

File

./captcha.test, line 1072

Tests for CAPTCHA module.

Class

CaptchaSessionReuseAttackTestCase

Code

function testCaptchaSessionReuseAttackDetectionOnLoginForm() {

  // Set CAPTCHA on login form.
  captcha_set_form_id_setting('user_login', 'captcha/Math');
  variable_set('captcha_persistence', CAPTCHA_PERSISTENCE_SKIP_ONCE_SUCCESSFUL_PER_FORM_INSTANCE);

  // Go to log in form.
  $this
    ->drupalGet('user');
  $this
    ->assertCaptchaPresence(TRUE);

  // Get CAPTCHA session ID and solution of the challenge.
  $captcha_sid = $this
    ->getCaptchaSidFromForm();
  $captcha_token = $this
    ->getCaptchaTokenFromForm();
  $solution = $this
    ->getMathCaptchaSolutionFromForm();

  // Log in through form.
  $edit = array(
    'name' => $this->normal_user->name,
    'pass' => $this->normal_user->pass_raw,
    'captcha_response' => $solution,
  );
  $this
    ->drupalPost(NULL, $edit, t('Log in'));
  $this
    ->assertCaptchaResponseAccepted();
  $this
    ->assertCaptchaPresence(FALSE);

  // If a "log out" link appears on the page, it is almost certainly because
  // the login was successful.
  $pass = $this
    ->assertLink(t('Log out'), 0, t('User %name successfully logged in.', array(
    '%name' => $this->normal_user->name,
  )), t('User login'));

  // Log out again.
  $this
    ->drupalLogout();

  // Try to log in again, reusing the previous CAPTCHA session.
  $edit += array(
    'captcha_sid' => $captcha_sid,
    'captcha_token' => $captcha_token,
  );
  $this
    ->drupalPost('user', $edit, t('Log in'));

  // CAPTCHA session reuse attack should be detected.
  $this
    ->assertCaptchaSessionIdReuseAttackDetection();

  // There should be a CAPTCHA.
  $this
    ->assertCaptchaPresence(TRUE);
}