function SessionHttpsTest::testHttpsSession
Same name in other branches
- 9 core/modules/system/tests/src/Functional/Session/SessionHttpsTest.php \Drupal\Tests\system\Functional\Session\SessionHttpsTest::testHttpsSession()
- 8.9.x core/modules/system/tests/src/Functional/Session/SessionHttpsTest.php \Drupal\Tests\system\Functional\Session\SessionHttpsTest::testHttpsSession()
- 11.x core/modules/system/tests/src/Functional/Session/SessionHttpsTest.php \Drupal\Tests\system\Functional\Session\SessionHttpsTest::testHttpsSession()
Tests HTTPS sessions.
File
-
core/
modules/ system/ tests/ src/ Functional/ Session/ SessionHttpsTest.php, line 66
Class
- SessionHttpsTest
- Ensure that when running under HTTPS two session cookies are generated.
Namespace
Drupal\Tests\system\Functional\SessionCode
public function testHttpsSession() : void {
$user = $this->drupalCreateUser([
'access administration pages',
'administer site configuration',
]);
/** @var \Symfony\Component\BrowserKit\CookieJar $browser_kit_cookie_jar */
$browser_kit_cookie_jar = $this->getSession()
->getDriver()
->getClient()
->getCookieJar();
// Test HTTPS session handling by submitting the login form through
// https.php, which creates a mock HTTPS request.
$this->loginHttps($user);
$first_secure_session = $this->getSession()
->getCookie($this->secureSessionName);
// Test a second concurrent session.
$this->loginHttps($user);
$this->assertNotSame($first_secure_session, $this->getSession()
->getCookie($this->secureSessionName));
// Check secure cookie is set.
$this->assertTrue((bool) $this->getSession()
->getCookie($this->secureSessionName));
// Check insecure cookie is not set.
$this->assertFalse((bool) $this->getSession()
->getCookie($this->insecureSessionName));
$this->assertSessionIds($this->getSession()
->getCookie($this->secureSessionName), 'Session has a non-empty SID and a correct secure SID.');
$this->assertSessionIds($first_secure_session, 'The first secure session still exists.');
// Verify that user is logged in on secure URL.
$this->drupalGet($this->httpsUrl('admin/config'));
$this->assertSession()
->pageTextContains('Configuration');
$this->assertSession()
->statusCodeEquals(200);
// Verify that user is not logged in on non-secure URL.
$this->drupalGet($this->httpUrl('admin/config'));
$this->assertSession()
->pageTextNotContains('Configuration');
$this->assertSession()
->statusCodeEquals(403);
// Verify that empty SID cannot be used on the non-secure site.
$browser_kit_cookie_jar->set(Cookie::fromString($this->insecureSessionName . '=', $this->baseUrl));
$this->drupalGet($this->httpUrl('admin/config'));
$this->assertSession()
->statusCodeEquals(403);
// Remove the secure session name from the cookie jar before logging in via
// HTTP on HTTPS environments.
$browser_kit_cookie_jar->expire($this->secureSessionName);
// Test HTTP session handling by submitting the login form through http.php,
// which creates a mock HTTP request on HTTPS test environments.
$this->loginHttp($user);
$this->drupalGet($this->httpUrl('admin/config'));
$this->assertSession()
->statusCodeEquals(200);
$this->assertSessionIds($this->getSession()
->getCookie($this->insecureSessionName), 'Session has the correct SID and an empty secure SID.');
// Verify that empty secure SID cannot be used on the secure site.
$browser_kit_cookie_jar->set(Cookie::fromString($this->secureSessionName . '=', $this->baseUrl));
$this->drupalGet($this->httpsUrl('admin/config'));
$this->assertSession()
->statusCodeEquals(403);
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.