You are here

public function SessionTest::testEmptySessionID in Drupal 9

Same name and namespace in other branches
  1. 8 core/modules/system/tests/src/Functional/Session/SessionTest.php \Drupal\Tests\system\Functional\Session\SessionTest::testEmptySessionID()

Tests that empty session IDs are not allowed.

File

core/modules/system/tests/src/Functional/Session/SessionTest.php, line 299

Class

SessionTest
Drupal session handling tests.

Namespace

Drupal\Tests\system\Functional\Session

Code

public function testEmptySessionID() {
  $user = $this
    ->drupalCreateUser([]);
  $this
    ->drupalLogin($user);
  $this
    ->drupalGet('session-test/is-logged-in');
  $this
    ->assertSession()
    ->statusCodeEquals(200);

  // Reset the sid in {sessions} to a blank string. This may exist in the
  // wild in some cases, although we normally prevent it from happening.
  Database::getConnection()
    ->update('sessions')
    ->fields([
    'sid' => '',
  ])
    ->condition('uid', $user
    ->id())
    ->execute();

  // Send a blank sid in the session cookie, and the session should no longer
  // be valid. Closing the curl handler will stop the previous session ID
  // from persisting.
  $this->mink
    ->resetSessions();
  $this
    ->drupalGet('session-test/id-from-cookie');

  // Verify that session ID is blank as sent from cookie header.
  $this
    ->assertSession()
    ->responseContains("session_id:\n");

  // Assert that we have an anonymous session now.
  $this
    ->drupalGet('session-test/is-logged-in');
  $this
    ->assertSession()
    ->statusCodeEquals(403);
}