function SessionTest::testSessionSaveRegenerate

Same name in other branches
  1. 8.9.x core/modules/system/tests/src/Functional/Session/SessionTest.php \Drupal\Tests\system\Functional\Session\SessionTest::testSessionSaveRegenerate()
  2. 10 core/modules/system/tests/src/Functional/Session/SessionTest.php \Drupal\Tests\system\Functional\Session\SessionTest::testSessionSaveRegenerate()
  3. 11.x core/modules/system/tests/src/Functional/Session/SessionTest.php \Drupal\Tests\system\Functional\Session\SessionTest::testSessionSaveRegenerate()

Tests session writing and regeneration.

@covers \Drupal\Core\Session\WriteSafeSessionHandler::setSessionWritable @covers \Drupal\Core\Session\WriteSafeSessionHandler::isSessionWritable @covers \Drupal\Core\Session\SessionManager::regenerate

File

core/modules/system/tests/src/Functional/Session/SessionTest.php, line 34

Class

SessionTest
Drupal session handling tests.

Namespace

Drupal\Tests\system\Functional\Session

Code

public function testSessionSaveRegenerate() {
    $session_handler = $this->container
        ->get('session_handler.write_safe');
    $this->assertTrue($session_handler->isSessionWritable(), 'session_handler->isSessionWritable() initially returns TRUE.');
    $session_handler->setSessionWritable(FALSE);
    $this->assertFalse($session_handler->isSessionWritable(), '$session_handler->isSessionWritable() returns FALSE after disabling.');
    $session_handler->setSessionWritable(TRUE);
    $this->assertTrue($session_handler->isSessionWritable(), '$session_handler->isSessionWritable() returns TRUE after enabling.');
    // Test session hardening code from SA-2008-044.
    $user = $this->drupalCreateUser();
    // Enable sessions.
    $this->sessionReset();
    // Make sure the session cookie is set as HttpOnly. We can only test this in
    // the header, with the test setup
    // \GuzzleHttp\Cookie\SetCookie::getHttpOnly() always returns FALSE.
    // Start a new session by setting a message.
    $this->drupalGet('session-test/set-message');
    $this->assertSessionCookie(TRUE);
    // Verify that the session cookie is set as HttpOnly.
    $this->assertSession()
        ->responseHeaderMatches('Set-Cookie', '/HttpOnly/i');
    // Verify that the session is regenerated if a module calls exit
    // in hook_user_login().
    $user->name = 'session_test_user';
    $user->save();
    $this->drupalGet('session-test/id');
    $matches = [];
    preg_match('/\\s*session_id:(.*)\\n/', $this->getSession()
        ->getPage()
        ->getContent(), $matches);
    $this->assertNotEmpty($matches[1], 'Found session ID before logging in.');
    $original_session = $matches[1];
    // We cannot use $this->drupalLogin($user); because we exit in
    // session_test_user_login() which breaks a normal assertion.
    $edit = [
        'name' => $user->getAccountName(),
        'pass' => $user->passRaw,
    ];
    $this->drupalGet('user/login');
    $this->submitForm($edit, 'Log in');
    $this->drupalGet('user');
    $this->assertSession()
        ->pageTextContains($user->getAccountName());
    $this->drupalGet('session-test/id');
    $matches = [];
    preg_match('/\\s*session_id:(.*)\\n/', $this->getSession()
        ->getPage()
        ->getContent(), $matches);
    $this->assertNotEmpty($matches[1], 'Found session ID after logging in.');
    $this->assertNotSame($original_session, $matches[1], 'Session ID changed after login.');
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.