function SessionHttpsTest::testHttpsSession

Same name in other branches
  1. 9 core/modules/system/tests/src/Functional/Session/SessionHttpsTest.php \Drupal\Tests\system\Functional\Session\SessionHttpsTest::testHttpsSession()
  2. 8.9.x core/modules/system/tests/src/Functional/Session/SessionHttpsTest.php \Drupal\Tests\system\Functional\Session\SessionHttpsTest::testHttpsSession()
  3. 10 core/modules/system/tests/src/Functional/Session/SessionHttpsTest.php \Drupal\Tests\system\Functional\Session\SessionHttpsTest::testHttpsSession()

Tests HTTPS sessions.

File

core/modules/system/tests/src/Functional/Session/SessionHttpsTest.php, line 66

Class

SessionHttpsTest
Ensure that when running under HTTPS two session cookies are generated.

Namespace

Drupal\Tests\system\Functional\Session

Code

public function testHttpsSession() : void {
    $user = $this->drupalCreateUser([
        'access administration pages',
        'administer site configuration',
    ]);
    
    /** @var \Symfony\Component\BrowserKit\CookieJar $browser_kit_cookie_jar */
    $browser_kit_cookie_jar = $this->getSession()
        ->getDriver()
        ->getClient()
        ->getCookieJar();
    // Test HTTPS session handling by submitting the login form through
    // https.php, which creates a mock HTTPS request.
    $this->loginHttps($user);
    $first_secure_session = $this->getSession()
        ->getCookie($this->secureSessionName);
    // Test a second concurrent session.
    $this->loginHttps($user);
    $this->assertNotSame($first_secure_session, $this->getSession()
        ->getCookie($this->secureSessionName));
    // Check secure cookie is set.
    $this->assertTrue((bool) $this->getSession()
        ->getCookie($this->secureSessionName));
    // Check insecure cookie is not set.
    $this->assertFalse((bool) $this->getSession()
        ->getCookie($this->insecureSessionName));
    $this->assertSessionIds($this->getSession()
        ->getCookie($this->secureSessionName), 'Session has a non-empty SID and a correct secure SID.');
    $this->assertSessionIds($first_secure_session, 'The first secure session still exists.');
    // Verify that user is logged in on secure URL.
    $this->drupalGet($this->httpsUrl('admin/config'));
    $this->assertSession()
        ->pageTextContains('Configuration');
    $this->assertSession()
        ->statusCodeEquals(200);
    // Verify that user is not logged in on non-secure URL.
    $this->drupalGet($this->httpUrl('admin/config'));
    $this->assertSession()
        ->pageTextNotContains('Configuration');
    $this->assertSession()
        ->statusCodeEquals(403);
    // Verify that empty SID cannot be used on the non-secure site.
    $browser_kit_cookie_jar->set(Cookie::fromString($this->insecureSessionName . '=', $this->baseUrl));
    $this->drupalGet($this->httpUrl('admin/config'));
    $this->assertSession()
        ->statusCodeEquals(403);
    // Remove the secure session name from the cookie jar before logging in via
    // HTTP on HTTPS environments.
    $browser_kit_cookie_jar->expire($this->secureSessionName);
    // Test HTTP session handling by submitting the login form through http.php,
    // which creates a mock HTTP request on HTTPS test environments.
    $this->loginHttp($user);
    $this->drupalGet($this->httpUrl('admin/config'));
    $this->assertSession()
        ->statusCodeEquals(200);
    $this->assertSessionIds($this->getSession()
        ->getCookie($this->insecureSessionName), 'Session has the correct SID and an empty secure SID.');
    // Verify that empty secure SID cannot be used on the secure site.
    $browser_kit_cookie_jar->set(Cookie::fromString($this->secureSessionName . '=', $this->baseUrl));
    $this->drupalGet($this->httpsUrl('admin/config'));
    $this->assertSession()
        ->statusCodeEquals(403);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.