You are here

public function SessionTest::testSessionSaveRegenerate in Drupal 9

Same name and namespace in other branches
  1. 8 core/modules/system/tests/src/Functional/Session/SessionTest.php \Drupal\Tests\system\Functional\Session\SessionTest::testSessionSaveRegenerate()

Tests for \Drupal\Core\Session\WriteSafeSessionHandler::setSessionWritable() ::isSessionWritable and \Drupal\Core\Session\SessionManager::regenerate().

File

core/modules/system/tests/src/Functional/Session/SessionTest.php, line 33

Class

SessionTest
Drupal session handling tests.

Namespace

Drupal\Tests\system\Functional\Session

Code

public function testSessionSaveRegenerate() {
  $session_handler = $this->container
    ->get('session_handler.write_safe');
  $this
    ->assertTrue($session_handler
    ->isSessionWritable(), 'session_handler->isSessionWritable() initially returns TRUE.');
  $session_handler
    ->setSessionWritable(FALSE);
  $this
    ->assertFalse($session_handler
    ->isSessionWritable(), '$session_handler->isSessionWritable() returns FALSE after disabling.');
  $session_handler
    ->setSessionWritable(TRUE);
  $this
    ->assertTrue($session_handler
    ->isSessionWritable(), '$session_handler->isSessionWritable() returns TRUE after enabling.');

  // Test session hardening code from SA-2008-044.
  $user = $this
    ->drupalCreateUser();

  // Enable sessions.
  $this
    ->sessionReset();

  // Make sure the session cookie is set as HttpOnly. We can only test this in
  // the header, with the test setup
  // \GuzzleHttp\Cookie\SetCookie::getHttpOnly() always returns FALSE.
  // Start a new session by setting a message.
  $this
    ->drupalGet('session-test/set-message');
  $this
    ->assertSessionCookie(TRUE);

  // Verify that the session cookie is set as HttpOnly.
  $this
    ->assertSession()
    ->responseHeaderMatches('Set-Cookie', '/HttpOnly/i');

  // Verify that the session is regenerated if a module calls exit
  // in hook_user_login().
  $user->name = 'session_test_user';
  $user
    ->save();
  $this
    ->drupalGet('session-test/id');
  $matches = [];
  preg_match('/\\s*session_id:(.*)\\n/', $this
    ->getSession()
    ->getPage()
    ->getContent(), $matches);
  $this
    ->assertTrue(!empty($matches[1]), 'Found session ID before logging in.');
  $original_session = $matches[1];

  // We cannot use $this->drupalLogin($user); because we exit in
  // session_test_user_login() which breaks a normal assertion.
  $edit = [
    'name' => $user
      ->getAccountName(),
    'pass' => $user->passRaw,
  ];
  $this
    ->drupalGet('user/login');
  $this
    ->submitForm($edit, 'Log in');
  $this
    ->drupalGet('user');
  $this
    ->assertSession()
    ->pageTextContains($user
    ->getAccountName());
  $this
    ->drupalGet('session-test/id');
  $matches = [];
  preg_match('/\\s*session_id:(.*)\\n/', $this
    ->getSession()
    ->getPage()
    ->getContent(), $matches);
  $this
    ->assertTrue(!empty($matches[1]), 'Found session ID after logging in.');
  $this
    ->assertNotSame($original_session, $matches[1], 'Session ID changed after login.');
}