function SessionTest::testSessionSaveRegenerate

Same name and namespace in other branches
  1. 9 core/modules/system/tests/src/Functional/Session/SessionTest.php \Drupal\Tests\system\Functional\Session\SessionTest::testSessionSaveRegenerate()
  2. 8.9.x core/modules/system/tests/src/Functional/Session/SessionTest.php \Drupal\Tests\system\Functional\Session\SessionTest::testSessionSaveRegenerate()
  3. 11.x core/modules/system/tests/src/Functional/Session/SessionTest.php \Drupal\Tests\system\Functional\Session\SessionTest::testSessionSaveRegenerate()

Tests session writing and regeneration.

@covers \Drupal\Core\Session\WriteSafeSessionHandler::setSessionWritable
@covers \Drupal\Core\Session\WriteSafeSessionHandler::isSessionWritable
@covers \Drupal\Core\Session\SessionManager::regenerate

File

core/modules/system/tests/src/Functional/Session/SessionTest.php, line 35

Class

SessionTest
Drupal session handling tests.

Namespace

Drupal\Tests\system\Functional\Session

Code

public function testSessionSaveRegenerate() : void {
  $session_handler = $this->container
    ->get('session_handler.write_safe');
  $this->assertTrue($session_handler->isSessionWritable(), 'session_handler->isSessionWritable() initially returns TRUE.');
  $session_handler->setSessionWritable(FALSE);
  $this->assertFalse($session_handler->isSessionWritable(), '$session_handler->isSessionWritable() returns FALSE after disabling.');
  $session_handler->setSessionWritable(TRUE);
  $this->assertTrue($session_handler->isSessionWritable(), '$session_handler->isSessionWritable() returns TRUE after enabling.');
  // Test session hardening code from SA-2008-044.
  $user = $this->drupalCreateUser();
  // Enable sessions.
  $this->sessionReset();
  // Make sure the session cookie is set as HttpOnly. We can only test this in
  // the header, with the test setup
  // \GuzzleHttp\Cookie\SetCookie::getHttpOnly() always returns FALSE.
  // Start a new session by setting a message.
  $this->drupalGet('session-test/set-message');
  $this->assertSessionCookie(TRUE);
  // Verify that the session cookie is set as HttpOnly.
  $this->assertSession()
    ->responseHeaderMatches('Set-Cookie', '/HttpOnly/i');
  // Verify that the session is regenerated if a module calls exit
  // in hook_user_login().
  $user->name = 'session_test_user';
  $user->save();
  $this->drupalGet('session-test/id');
  $matches = [];
  preg_match('/\\s*session_id:(.*)\\n/', $this->getSession()
    ->getPage()
    ->getContent(), $matches);
  $this->assertNotEmpty($matches[1], 'Found session ID before logging in.');
  $original_session = $matches[1];
  // We cannot use $this->drupalLogin($user); because we exit in
  // session_test_user_login() which breaks a normal assertion.
  $edit = [
    'name' => $user->getAccountName(),
    'pass' => $user->passRaw,
  ];
  $this->drupalGet('user/login');
  $this->submitForm($edit, 'Log in');
  $this->drupalGet('user');
  $this->assertSession()
    ->pageTextContains($user->getAccountName());
  $this->drupalGet('session-test/id');
  $matches = [];
  preg_match('/\\s*session_id:(.*)\\n/', $this->getSession()
    ->getPage()
    ->getContent(), $matches);
  $this->assertNotEmpty($matches[1], 'Found session ID after logging in.');
  $this->assertNotSame($original_session, $matches[1], 'Session ID changed after login.');
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.