public function SessionHttpsTest::testHttpsSession in Drupal 10
Same name and namespace in other branches
- 8 core/modules/system/tests/src/Functional/Session/SessionHttpsTest.php \Drupal\Tests\system\Functional\Session\SessionHttpsTest::testHttpsSession()
- 9 core/modules/system/tests/src/Functional/Session/SessionHttpsTest.php \Drupal\Tests\system\Functional\Session\SessionHttpsTest::testHttpsSession()
Tests HTTPS sessions.
File
- core/
modules/ system/ tests/ src/ Functional/ Session/ SessionHttpsTest.php, line 66
Class
- SessionHttpsTest
- Ensure that when running under HTTPS two session cookies are generated.
Namespace
Drupal\Tests\system\Functional\SessionCode
public function testHttpsSession() {
$user = $this
->drupalCreateUser([
'access administration pages',
]);
/** @var \Symfony\Component\BrowserKit\CookieJar $browser_kit_cookie_jar */
$browser_kit_cookie_jar = $this
->getSession()
->getDriver()
->getClient()
->getCookieJar();
// Test HTTPS session handling by submitting the login form through
// https.php, which creates a mock HTTPS request.
$this
->loginHttps($user);
$first_secure_session = $this
->getSession()
->getCookie($this->secureSessionName);
// Test a second concurrent session.
$this
->loginHttps($user);
$this
->assertNotSame($first_secure_session, $this
->getSession()
->getCookie($this->secureSessionName));
// Check secure cookie is set.
$this
->assertTrue((bool) $this
->getSession()
->getCookie($this->secureSessionName));
// Check insecure cookie is not set.
$this
->assertFalse((bool) $this
->getSession()
->getCookie($this->insecureSessionName));
$this
->assertSessionIds($this
->getSession()
->getCookie($this->secureSessionName), 'Session has a non-empty SID and a correct secure SID.');
$this
->assertSessionIds($first_secure_session, 'The first secure session still exists.');
// Verify that user is logged in on secure URL.
$this
->drupalGet($this
->httpsUrl('admin/config'));
$this
->assertSession()
->pageTextContains('Configuration');
$this
->assertSession()
->statusCodeEquals(200);
// Verify that user is not logged in on non-secure URL.
$this
->drupalGet($this
->httpUrl('admin/config'));
$this
->assertSession()
->pageTextNotContains('Configuration');
$this
->assertSession()
->statusCodeEquals(403);
// Verify that empty SID cannot be used on the non-secure site.
$browser_kit_cookie_jar
->set(Cookie::fromString($this->insecureSessionName . '=', $this->baseUrl));
$this
->drupalGet($this
->httpUrl('admin/config'));
$this
->assertSession()
->statusCodeEquals(403);
// Remove the secure session name from the cookie jar before logging in via
// HTTP on HTTPS environments.
$browser_kit_cookie_jar
->expire($this->secureSessionName);
// Test HTTP session handling by submitting the login form through http.php,
// which creates a mock HTTP request on HTTPS test environments.
$this
->loginHttp($user);
$this
->drupalGet($this
->httpUrl('admin/config'));
$this
->assertSession()
->statusCodeEquals(200);
$this
->assertSessionIds($this
->getSession()
->getCookie($this->insecureSessionName), 'Session has the correct SID and an empty secure SID.');
// Verify that empty secure SID cannot be used on the secure site.
$browser_kit_cookie_jar
->set(Cookie::fromString($this->secureSessionName . '=', $this->baseUrl));
$this
->drupalGet($this
->httpsUrl('admin/config'));
$this
->assertSession()
->statusCodeEquals(403);
}