You are here

public function SessionHttpsTest::testHttpsSession in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/modules/system/src/Tests/Session/SessionHttpsTest.php \Drupal\system\Tests\Session\SessionHttpsTest::testHttpsSession()

File

core/modules/system/src/Tests/Session/SessionHttpsTest.php, line 57
Contains \Drupal\system\Tests\Session\SessionHttpsTest.

Class

SessionHttpsTest
Ensure that when running under HTTPS two session cookies are generated.

Namespace

Drupal\system\Tests\Session

Code

public function testHttpsSession() {
  $user = $this
    ->drupalCreateUser(array(
    'access administration pages',
  ));

  // Test HTTPS session handling by altering the form action to submit the
  // login form through https.php, which creates a mock HTTPS request.
  $this
    ->loginHttps($user);

  // Test a second concurrent session.
  $this
    ->curlClose();
  $this->curlCookies = array();
  $this
    ->loginHttps($user);

  // Check secure cookie on secure page.
  $this
    ->assertTrue($this->cookies[$this->secureSessionName]['secure'], 'The secure cookie has the secure attribute');

  // Check insecure cookie is not set.
  $this
    ->assertFalse(isset($this->cookies[$this->insecureSessionName]));
  $ssid = $this->cookies[$this->secureSessionName]['value'];
  $this
    ->assertSessionIds($ssid, 'Session has a non-empty SID and a correct secure SID.');

  // Verify that user is logged in on secure URL.
  $this
    ->drupalGet($this
    ->httpsUrl('admin/config'));
  $this
    ->assertText(t('Configuration'));
  $this
    ->assertResponse(200);

  // Verify that user is not logged in on non-secure URL.
  $this
    ->drupalGet($this
    ->httpUrl('admin/config'));
  $this
    ->assertNoText(t('Configuration'));
  $this
    ->assertResponse(403);

  // Verify that empty SID cannot be used on the non-secure site.
  $this
    ->curlClose();
  $this->curlCookies = array(
    $this->insecureSessionName . '=',
  );
  $this
    ->drupalGet($this
    ->httpUrl('admin/config'));
  $this
    ->assertResponse(403);

  // Test HTTP session handling by altering the form action to submit the
  // login form through http.php, which creates a mock HTTP request on HTTPS
  // test environments.
  $this
    ->curlClose();
  $this->curlCookies = array();
  $this
    ->loginHttp($user);
  $this
    ->drupalGet($this
    ->httpUrl('admin/config'));
  $this
    ->assertResponse(200);
  $sid = $this->cookies[$this->insecureSessionName]['value'];
  $this
    ->assertSessionIds($sid, '', 'Session has the correct SID and an empty secure SID.');

  // Verify that empty secure SID cannot be used on the secure site.
  $this
    ->curlClose();
  $this->curlCookies = array(
    $this->secureSessionName . '=',
  );
  $this
    ->drupalGet($this
    ->httpsUrl('admin/config'));
  $this
    ->assertResponse(403);

  // Clear browser cookie jar.
  $this->cookies = array();
}