function SessionHttpsTest::testHttpsSession

Same name and namespace in other branches
  1. 8.9.x core/modules/system/tests/src/Functional/Session/SessionHttpsTest.php \Drupal\Tests\system\Functional\Session\SessionHttpsTest::testHttpsSession()
  2. 10 core/modules/system/tests/src/Functional/Session/SessionHttpsTest.php \Drupal\Tests\system\Functional\Session\SessionHttpsTest::testHttpsSession()
  3. 11.x core/modules/system/tests/src/Functional/Session/SessionHttpsTest.php \Drupal\Tests\system\Functional\Session\SessionHttpsTest::testHttpsSession()

Tests HTTPS sessions.

File

core/modules/system/tests/src/Functional/Session/SessionHttpsTest.php, line 66

Class

SessionHttpsTest
Ensure that when running under HTTPS two session cookies are generated.

Namespace

Drupal\Tests\system\Functional\Session

Code

public function testHttpsSession() {
  $user = $this->drupalCreateUser([
    'access administration pages',
  ]);
  /** @var \Symfony\Component\BrowserKit\CookieJar $browser_kit_cookie_jar */
  $browser_kit_cookie_jar = $this->getSession()
    ->getDriver()
    ->getClient()
    ->getCookieJar();
  // Test HTTPS session handling by submitting the login form through
  // https.php, which creates a mock HTTPS request.
  $this->loginHttps($user);
  $first_secure_session = $this->getSession()
    ->getCookie($this->secureSessionName);
  // Test a second concurrent session.
  $this->loginHttps($user);
  $this->assertNotSame($first_secure_session, $this->getSession()
    ->getCookie($this->secureSessionName));
  // Check secure cookie is set.
  $this->assertTrue((bool) $this->getSession()
    ->getCookie($this->secureSessionName));
  // Check insecure cookie is not set.
  $this->assertFalse((bool) $this->getSession()
    ->getCookie($this->insecureSessionName));
  $this->assertSessionIds($this->getSession()
    ->getCookie($this->secureSessionName), 'Session has a non-empty SID and a correct secure SID.');
  $this->assertSessionIds($first_secure_session, 'The first secure session still exists.');
  // Verify that user is logged in on secure URL.
  $this->drupalGet($this->httpsUrl('admin/config'));
  $this->assertSession()
    ->pageTextContains('Configuration');
  $this->assertSession()
    ->statusCodeEquals(200);
  // Verify that user is not logged in on non-secure URL.
  $this->drupalGet($this->httpUrl('admin/config'));
  $this->assertSession()
    ->pageTextNotContains('Configuration');
  $this->assertSession()
    ->statusCodeEquals(403);
  // Verify that empty SID cannot be used on the non-secure site.
  $browser_kit_cookie_jar->set(Cookie::fromString($this->insecureSessionName . '=', $this->baseUrl));
  $this->drupalGet($this->httpUrl('admin/config'));
  $this->assertSession()
    ->statusCodeEquals(403);
  // Remove the secure session name from the cookie jar before logging in via
  // HTTP on HTTPS environments.
  $browser_kit_cookie_jar->expire($this->secureSessionName);
  // Test HTTP session handling by submitting the login form through http.php,
  // which creates a mock HTTP request on HTTPS test environments.
  $this->loginHttp($user);
  $this->drupalGet($this->httpUrl('admin/config'));
  $this->assertSession()
    ->statusCodeEquals(200);
  $this->assertSessionIds($this->getSession()
    ->getCookie($this->insecureSessionName), 'Session has the correct SID and an empty secure SID.');
  // Verify that empty secure SID cannot be used on the secure site.
  $browser_kit_cookie_jar->set(Cookie::fromString($this->secureSessionName . '=', $this->baseUrl));
  $this->drupalGet($this->httpsUrl('admin/config'));
  $this->assertSession()
    ->statusCodeEquals(403);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.