You are here

public function SessionHttpsTest::testHttpsSession in Drupal 9

Same name and namespace in other branches
  1. 8 core/modules/system/tests/src/Functional/Session/SessionHttpsTest.php \Drupal\Tests\system\Functional\Session\SessionHttpsTest::testHttpsSession()

Tests HTTPS sessions.

File

core/modules/system/tests/src/Functional/Session/SessionHttpsTest.php, line 66

Class

SessionHttpsTest
Ensure that when running under HTTPS two session cookies are generated.

Namespace

Drupal\Tests\system\Functional\Session

Code

public function testHttpsSession() {
  $user = $this
    ->drupalCreateUser([
    'access administration pages',
  ]);

  /** @var \Symfony\Component\BrowserKit\CookieJar $browser_kit_cookie_jar */
  $browser_kit_cookie_jar = $this
    ->getSession()
    ->getDriver()
    ->getClient()
    ->getCookieJar();

  // Test HTTPS session handling by submitting the login form through
  // https.php, which creates a mock HTTPS request.
  $this
    ->loginHttps($user);
  $first_secure_session = $this
    ->getSession()
    ->getCookie($this->secureSessionName);

  // Test a second concurrent session.
  $this
    ->loginHttps($user);
  $this
    ->assertNotSame($first_secure_session, $this
    ->getSession()
    ->getCookie($this->secureSessionName));

  // Check secure cookie is set.
  $this
    ->assertTrue((bool) $this
    ->getSession()
    ->getCookie($this->secureSessionName));

  // Check insecure cookie is not set.
  $this
    ->assertFalse((bool) $this
    ->getSession()
    ->getCookie($this->insecureSessionName));
  $this
    ->assertSessionIds($this
    ->getSession()
    ->getCookie($this->secureSessionName), 'Session has a non-empty SID and a correct secure SID.');
  $this
    ->assertSessionIds($first_secure_session, 'The first secure session still exists.');

  // Verify that user is logged in on secure URL.
  $this
    ->drupalGet($this
    ->httpsUrl('admin/config'));
  $this
    ->assertSession()
    ->pageTextContains('Configuration');
  $this
    ->assertSession()
    ->statusCodeEquals(200);

  // Verify that user is not logged in on non-secure URL.
  $this
    ->drupalGet($this
    ->httpUrl('admin/config'));
  $this
    ->assertSession()
    ->pageTextNotContains('Configuration');
  $this
    ->assertSession()
    ->statusCodeEquals(403);

  // Verify that empty SID cannot be used on the non-secure site.
  $browser_kit_cookie_jar
    ->set(Cookie::fromString($this->insecureSessionName . '=', $this->baseUrl));
  $this
    ->drupalGet($this
    ->httpUrl('admin/config'));
  $this
    ->assertSession()
    ->statusCodeEquals(403);

  // Remove the secure session name from the cookie jar before logging in via
  // HTTP on HTTPS environments.
  $browser_kit_cookie_jar
    ->expire($this->secureSessionName);

  // Test HTTP session handling by submitting the login form through http.php,
  // which creates a mock HTTP request on HTTPS test environments.
  $this
    ->loginHttp($user);
  $this
    ->drupalGet($this
    ->httpUrl('admin/config'));
  $this
    ->assertSession()
    ->statusCodeEquals(200);
  $this
    ->assertSessionIds($this
    ->getSession()
    ->getCookie($this->insecureSessionName), 'Session has the correct SID and an empty secure SID.');

  // Verify that empty secure SID cannot be used on the secure site.
  $browser_kit_cookie_jar
    ->set(Cookie::fromString($this->secureSessionName . '=', $this->baseUrl));
  $this
    ->drupalGet($this
    ->httpsUrl('admin/config'));
  $this
    ->assertSession()
    ->statusCodeEquals(403);
}