Ensure that when running under HTTPS two session cookies are generated.
Expanded class hierarchy of SessionHttpsTestCase
class SessionHttpsTestCase extends DrupalWebTestCase {
public static function getInfo() {
return array(
'name' => 'Session HTTPS handling',
'description' => 'Ensure that when running under HTTPS two session cookies are generated.',
'group' => 'Session',
);
}
public function setUp() {
parent::setUp('session_test');
}
protected function testHttpsSession() {
global $is_https;
if ($is_https) {
$secure_session_name = session_name();
$insecure_session_name = substr(session_name(), 1);
}
else {
$secure_session_name = 'S' . session_name();
$insecure_session_name = session_name();
}
$user = $this
->drupalCreateUser(array(
'access administration pages',
));
// Test HTTPS session handling by altering the form action to submit the
// login form through https.php, which creates a mock HTTPS request.
$this
->drupalGet('user');
$form = $this
->xpath('//form[@id="user-login"]');
$form[0]['action'] = $this
->httpsUrl('user');
$edit = array(
'name' => $user->name,
'pass' => $user->pass_raw,
);
$this
->drupalPost(NULL, $edit, t('Log in'));
// Test a second concurrent session.
$this
->curlClose();
$this
->drupalGet('user');
$form = $this
->xpath('//form[@id="user-login"]');
$form[0]['action'] = $this
->httpsUrl('user');
$this
->drupalPost(NULL, $edit, t('Log in'));
// Check secure cookie on secure page.
$this
->assertTrue($this->cookies[$secure_session_name]['secure'], 'The secure cookie has the secure attribute');
// Check insecure cookie is not set.
$this
->assertFalse(isset($this->cookies[$insecure_session_name]));
$ssid = $this->cookies[$secure_session_name]['value'];
$this
->assertSessionIds($ssid, $ssid, 'Session has a non-empty SID and a correct secure SID.');
$cookie = $secure_session_name . '=' . $ssid;
// Verify that user is logged in on secure URL.
$this
->curlClose();
$this
->drupalGet($this
->httpsUrl('admin/config'), array(), array(
'Cookie: ' . $cookie,
));
$this
->assertText(t('Configuration'));
$this
->assertResponse(200);
// Verify that user is not logged in on non-secure URL.
$this
->curlClose();
$this
->drupalGet($this
->httpUrl('admin/config'), array(), array(
'Cookie: ' . $cookie,
));
$this
->assertNoText(t('Configuration'));
$this
->assertResponse(403);
// Verify that empty SID cannot be used on the non-secure site.
$this
->curlClose();
$cookie = $insecure_session_name . '=';
$this
->drupalGet($this
->httpUrl('admin/config'), array(), array(
'Cookie: ' . $cookie,
));
$this
->assertResponse(403);
// Test HTTP session handling by altering the form action to submit the
// login form through http.php, which creates a mock HTTP request on HTTPS
// test environments.
$this
->curlClose();
$this
->drupalGet('user');
$form = $this
->xpath('//form[@id="user-login"]');
$form[0]['action'] = $this
->httpUrl('user');
$edit = array(
'name' => $user->name,
'pass' => $user->pass_raw,
);
$this
->drupalPost(NULL, $edit, t('Log in'));
$this
->drupalGet($this
->httpUrl('admin/config'));
$this
->assertResponse(200);
$sid = $this->cookies[$insecure_session_name]['value'];
$this
->assertSessionIds($sid, '', 'Session has the correct SID and an empty secure SID.');
// Verify that empty secure SID cannot be used on the secure site.
$this
->curlClose();
$cookie = $secure_session_name . '=';
$this
->drupalGet($this
->httpsUrl('admin/config'), array(), array(
'Cookie: ' . $cookie,
));
$this
->assertResponse(403);
// Clear browser cookie jar.
$this->cookies = array();
if ($is_https) {
// The functionality does not make sense when running on HTTPS.
return;
}
// Enable secure pages.
variable_set('https', TRUE);
$this
->curlClose();
// Start an anonymous session on the insecure site.
$session_data = $this
->randomName();
$this
->drupalGet('session-test/set/' . $session_data);
// Check secure cookie on insecure page.
$this
->assertFalse(isset($this->cookies[$secure_session_name]), 'The secure cookie is not sent on insecure pages.');
// Check insecure cookie on insecure page.
$this
->assertFalse($this->cookies[$insecure_session_name]['secure'], 'The insecure cookie does not have the secure attribute');
// Store the anonymous cookie so we can validate that its session is killed
// after login.
$anonymous_cookie = $insecure_session_name . '=' . $this->cookies[$insecure_session_name]['value'];
// Check that password request form action is not secure.
$this
->drupalGet('user/password');
$form = $this
->xpath('//form[@id="user-pass"]');
$this
->assertNotEqual(substr($form[0]['action'], 0, 6), 'https:', 'Password request form action is not secure');
$form[0]['action'] = $this
->httpsUrl('user');
// Check that user login form action is secure.
$this
->drupalGet('user');
$form = $this
->xpath('//form[@id="user-login"]');
$this
->assertEqual(substr($form[0]['action'], 0, 6), 'https:', 'Login form action is secure');
$form[0]['action'] = $this
->httpsUrl('user');
$edit = array(
'name' => $user->name,
'pass' => $user->pass_raw,
);
$this
->drupalPost(NULL, $edit, t('Log in'));
// Check secure cookie on secure page.
$this
->assertTrue($this->cookies[$secure_session_name]['secure'], 'The secure cookie has the secure attribute');
// Check insecure cookie on secure page.
$this
->assertFalse($this->cookies[$insecure_session_name]['secure'], 'The insecure cookie does not have the secure attribute');
$sid = $this->cookies[$insecure_session_name]['value'];
$ssid = $this->cookies[$secure_session_name]['value'];
$this
->assertSessionIds($sid, $ssid, 'Session has both secure and insecure SIDs');
$cookies = array(
$insecure_session_name . '=' . $sid,
$secure_session_name . '=' . $ssid,
);
// Test that session data saved before login is still available on the
// authenticated session.
$this
->drupalGet('session-test/get');
$this
->assertText($session_data, 'Session correctly returned the stored data set by the anonymous session.');
foreach ($cookies as $cookie_key => $cookie) {
foreach (array(
'admin/config',
$this
->httpsUrl('admin/config'),
) as $url_key => $url) {
$this
->curlClose();
$this
->drupalGet($url, array(), array(
'Cookie: ' . $cookie,
));
if ($cookie_key == $url_key) {
$this
->assertText(t('Configuration'));
$this
->assertResponse(200);
}
else {
$this
->assertNoText(t('Configuration'));
$this
->assertResponse(403);
}
}
}
// Test that session data saved before login is not available using the
// pre-login anonymous cookie.
$this->cookies = array();
$this
->drupalGet('session-test/get', array(
'Cookie: ' . $anonymous_cookie,
));
$this
->assertNoText($session_data, 'Initial anonymous session is inactive after login.');
// Clear browser cookie jar.
$this->cookies = array();
// Start an anonymous session on the secure site.
$this
->drupalGet($this
->httpsUrl('session-test/set/1'));
// Mock a login to the secure site using the secure session cookie.
$this
->drupalGet('user');
$form = $this
->xpath('//form[@id="user-login"]');
$form[0]['action'] = $this
->httpsUrl('user');
$this
->drupalPost(NULL, $edit, t('Log in'));
// Test that the user is also authenticated on the insecure site.
$this
->drupalGet("user/{$user->uid}/edit");
$this
->assertResponse(200);
}
/**
* Tests that empty session IDs do not cause unrelated sessions to load.
*/
public function testEmptySessionId() {
global $is_https;
if ($is_https) {
$secure_session_name = session_name();
}
else {
$secure_session_name = 'S' . session_name();
}
// Enable mixed mode for HTTP and HTTPS.
variable_set('https', TRUE);
$admin_user = $this
->drupalCreateUser(array(
'access administration pages',
));
$standard_user = $this
->drupalCreateUser(array(
'access content',
));
// First log in as the admin user on HTTP.
// We cannot use $this->drupalLogin() here because we need to use the
// special http.php URLs.
$edit = array(
'name' => $admin_user->name,
'pass' => $admin_user->pass_raw,
);
$this
->drupalGet('user');
$form = $this
->xpath('//form[@id="user-login"]');
$form[0]['action'] = $this
->httpUrl('user');
$this
->drupalPost(NULL, $edit, t('Log in'));
$this
->curlClose();
// Now start a session for the standard user on HTTPS.
$edit = array(
'name' => $standard_user->name,
'pass' => $standard_user->pass_raw,
);
$this
->drupalGet('user');
$form = $this
->xpath('//form[@id="user-login"]');
$form[0]['action'] = $this
->httpsUrl('user');
$this
->drupalPost(NULL, $edit, t('Log in'));
// Make the secure session cookie blank.
curl_setopt($this->curlHandle, CURLOPT_COOKIE, "{$secure_session_name}=");
$this
->drupalGet($this
->httpsUrl('user'));
$this
->assertNoText($admin_user->name, 'User is not logged in as admin');
$this
->assertNoText($standard_user->name, "The user's own name is not displayed because the invalid session cookie has logged them out.");
}
/**
* Test that there exists a session with two specific session IDs.
*
* @param $sid
* The insecure session ID to search for.
* @param $ssid
* The secure session ID to search for.
* @param $assertion_text
* The text to display when we perform the assertion.
*
* @return
* The result of assertTrue() that there's a session in the system that
* has the given insecure and secure session IDs.
*/
protected function assertSessionIds($sid, $ssid, $assertion_text) {
$args = array(
':sid' => $sid,
':ssid' => $ssid,
);
return $this
->assertTrue(db_query('SELECT timestamp FROM {sessions} WHERE sid = :sid AND ssid = :ssid', $args)
->fetchField(), $assertion_text);
}
/**
* Builds a URL for submitting a mock HTTPS request to HTTP test environments.
*
* @param $url
* A Drupal path such as 'user'.
*
* @return
* An absolute URL.
*/
protected function httpsUrl($url) {
global $base_url;
return $base_url . '/modules/simpletest/tests/https.php?q=' . $url;
}
/**
* Builds a URL for submitting a mock HTTP request to HTTPS test environments.
*
* @param $url
* A Drupal path such as 'user'.
*
* @return
* An absolute URL.
*/
protected function httpUrl($url) {
global $base_url;
return $base_url . '/modules/simpletest/tests/http.php?q=' . $url;
}
}
Name | Modifiers | Type | Description | Overrides |
---|---|---|---|---|
DrupalWebTestCase:: |
protected | function | Will trigger a pass if the perl regex pattern is not present in raw content. | |
DrupalWebTestCase:: |
protected | function | Will trigger a pass if the Perl regex pattern is found in the raw content. | |
DrupalWebTestCase:: |
protected | property | Whether the files were copied to the test files directory. | |
DrupalTestCase:: |
protected | property | URL to the verbose output file directory. | |
DrupalTestCase:: |
protected | property | Time limit for the test. | |
DrupalTestCase:: |
protected | property | This class is skipped when looking for the source of an assertion. | |
DrupalWebTestCase:: |
protected | property | The value of the Drupal.settings JavaScript variable for the page currently loaded in the internal browser. | |
DrupalWebTestCase:: |
protected | property | The URL currently loaded in the internal browser. | |
DrupalTestCase:: |
protected | property | The test run ID. | |
DrupalWebTestCase:: |
protected | property | The profile to install as a basis for testing. | 20 |
DrupalWebTestCase:: |
protected | property | The parsed version of the page. | |
DrupalWebTestCase:: |
protected | property | The original user, before it was changed to a clean uid = 1 for testing purposes. | |
DrupalWebTestCase:: |
protected | property | The original shutdown handlers array, before it was cleaned for testing purposes. | |
DrupalTestCase:: |
protected | property | The original file directory, before it was changed for testing purposes. | |
DrupalWebTestCase:: |
protected | property | The number of redirects followed during the handling of a request. | |
DrupalWebTestCase:: |
protected | property | The headers of the page currently loaded in the internal browser. | |
DrupalWebTestCase:: |
protected | property | The handle of the current cURL connection. | |
DrupalTestCase:: |
protected | property | The database prefix of this test run. | |
DrupalWebTestCase:: |
protected | property | The current user logged in using the internal browser. | |
DrupalWebTestCase:: |
protected | property | The current session name, if available. | |
DrupalWebTestCase:: |
protected | property | The current session ID, if available. | |
DrupalWebTestCase:: |
protected | property | The current cookie file used by cURL. | |
DrupalWebTestCase:: |
protected | property | The cookies of the page currently loaded in the internal browser. | |
DrupalWebTestCase:: |
protected | property | The content of the page currently loaded in the internal browser. | |
DrupalWebTestCase:: |
protected | property | The content of the page currently loaded in the internal browser (plain text version). | |
SessionHttpsTestCase:: |
public | function | Tests that empty session IDs do not cause unrelated sessions to load. | |
SessionHttpsTestCase:: |
protected | function | Test that there exists a session with two specific session IDs. | |
DrupalWebTestCase:: |
protected | function | Takes a path and returns an absolute path. | |
DrupalTestCase:: |
public static | function | Store an assertion from outside the testing context. | |
SessionHttpsTestCase:: |
public | function |
Sets up a Drupal site for running functional and integration tests. Overrides DrupalWebTestCase:: |
|
DrupalWebTestCase:: |
protected | function | Sets the value of the Drupal.settings JavaScript variable for the currently loaded page. | |
DrupalWebTestCase:: |
protected | function | Sets the raw HTML content. This can be useful when a page has been fetched outside of the internal browser and assertions need to be made on the returned page. | |
DrupalWebTestCase:: |
protected | function | Runs cron in the Drupal installed by Simpletest. | |
DrupalTestCase:: |
public | function | Run all tests in this class. | |
DrupalTestCase:: |
public static | function | Returns the database connection to the site running Simpletest. | |
DrupalWebTestCase:: |
protected | function | Retrieves only the headers for a Drupal path or an absolute path. | |
DrupalWebTestCase:: |
protected | function | Retrieves a Drupal path or an absolute path. | |
DrupalWebTestCase:: |
protected | function | Retrieve a Drupal path or an absolute path and JSON decode the result. | |
DrupalWebTestCase:: |
protected | function | Reset all data structures after having enabled new modules. | |
DrupalWebTestCase:: |
protected | function | Refresh the in-memory set of variables. Useful after a page request is made that changes a variable in a different thread. | 1 |
DrupalWebTestCase:: |
protected | function | Reads headers and registers errors received from the tested site. | |
DrupalWebTestCase:: |
protected | function | Prepares the current environment for running the test. | |
DrupalWebTestCase:: |
protected | function | Preload the registry from the testing site. | |
DrupalWebTestCase:: |
protected | function | Perform an xpath search on the contents of the internal browser. The search is relative to the root element (HTML tag normally) of the page. | |
DrupalWebTestCase:: |
protected | function | Pass if the text is NOT found on the text version of the page. The text version is the equivalent of what a user would see when viewing through a web browser. In other words the HTML has been filtered out of the contents. | |
DrupalWebTestCase:: |
protected | function | Pass if the text is found ONLY ONCE on the text version of the page. | |
DrupalWebTestCase:: |
protected | function | Pass if the text IS found on the text version of the page. The text version is the equivalent of what a user would see when viewing through a web browser. In other words the HTML has been filtered out of the contents. | |
DrupalWebTestCase:: |
protected | function | Pass if the text is found MORE THAN ONCE on the text version of the page. | |
DrupalWebTestCase:: |
protected | function | Pass if the raw text is NOT found on the loaded page, fail otherwise. Raw text refers to the raw HTML that the page generated. | |
DrupalWebTestCase:: |
protected | function | Pass if the raw text IS found on the loaded page, fail otherwise. Raw text refers to the raw HTML that the page generated. | |
DrupalWebTestCase:: |
protected | function | Pass if the page title is the given string. | |
DrupalWebTestCase:: |
protected | function | Pass if the page title is not the given string. | |
DrupalWebTestCase:: |
protected | function | Pass if the internal browser's URL matches the given path. | |
DrupalWebTestCase:: |
protected | function | Pass if a link with the specified label is not found. | |
DrupalWebTestCase:: |
protected | function | Pass if a link with the specified label is found, and optional with the specified index. | |
DrupalWebTestCase:: |
protected | function | Pass if a link containing a given href (part) is not found. | |
DrupalWebTestCase:: |
protected | function | Pass if a link containing a given href (part) is found. | |
DrupalWebTestCase:: |
protected | function | Parse content returned from curlExec using DOM and SimpleXML. | |
DrupalWebTestCase:: |
protected | function | Outputs to verbose the most recent $count emails sent. | |
DrupalTestCase:: |
protected | function | Logs a verbose message in a text file. | |
DrupalWebTestCase:: |
protected | function | Log in a user with the internal browser. | |
DrupalTestCase:: |
protected | function | Internal helper: stores the assert. | |
DrupalWebTestCase:: |
protected | function | Initializes the cURL connection. | |
DrupalWebTestCase:: |
protected | function | Initializes and executes a cURL request. | |
DrupalWebTestCase:: |
protected | property | HTTP authentication method | |
DrupalWebTestCase:: |
protected | property | HTTP authentication credentials (<username>:<password>). | |
DrupalWebTestCase:: |
protected | function | Helper function: construct an XPath for the given set of attributes and value. | |
DrupalWebTestCase:: |
protected | function | Helper for assertUniqueText and assertNoUniqueText. | |
DrupalWebTestCase:: |
protected | function | Helper for assertText and assertNoText. | |
DrupalWebTestCase:: |
protected | function | Handle form input related to drupalPost(). Ensure that the specified fields exist and attempt to create POST data in the correct manner for the particular field type. | |
DrupalTestCase:: |
protected | function | Handle exceptions. | |
DrupalTestCase:: |
public | function | Handle errors during test runs. | 1 |
DrupalWebTestCase:: |
protected | function | Gets the value of the Drupal.settings JavaScript variable for the currently loaded page. | |
DrupalWebTestCase:: |
protected | function | Gets the value of an HTTP response header. If multiple requests were required to retrieve the page, only the headers from the last request will be checked by default. However, if TRUE is passed as the second argument, all requests will be processed… | |
DrupalWebTestCase:: |
protected | function | Gets the HTTP response headers of the requested page. Normally we are only interested in the headers returned by the last request. However, if a page is redirected or HTTP authentication is in use, multiple requests will be required to retrieve the… | |
DrupalWebTestCase:: |
protected | function | Gets the current raw HTML of requested page. | |
DrupalWebTestCase:: |
protected | function | Gets an array containing all e-mails sent during this test case. | |
DrupalWebTestCase:: |
protected | function | Get the selected value from a select field. | |
DrupalWebTestCase:: |
protected | function | Get the current URL from the cURL handler. | |
DrupalWebTestCase:: |
protected | function | Get all option elements, including nested options, in a select. | |
DrupalWebTestCase:: |
function | Get a node from the database based on its title. | ||
DrupalWebTestCase:: |
protected | function | Get a list files that can be used in tests. | |
DrupalTestCase:: |
public static | function | Generates a random string of ASCII characters of codes 32 to 126. | |
DrupalTestCase:: |
public static | function | Generates a random string containing letters and numbers. | |
DrupalWebTestCase:: |
protected | function | Generates a database prefix for running tests. | |
DrupalWebTestCase:: |
protected | function | Generate a token for the currently logged in user. | |
DrupalWebTestCase:: |
protected | function | Follows a link by name. | |
DrupalTestCase:: |
protected | property | Flag to indicate whether the test has been set up. | |
DrupalTestCase:: |
protected | function | Fire an error assertion. | 1 |
DrupalTestCase:: |
protected | function | Fire an assertion that is always positive. | |
DrupalTestCase:: |
protected | function | Fire an assertion that is always negative. | |
DrupalWebTestCase:: |
protected | function | Execute an Ajax submission. | |
DrupalWebTestCase:: |
protected | function | Execute a POST request on a Drupal page. It will be done as usual POST request with SimpleBrowser. | |
DrupalWebTestCase:: |
protected | function | Delete created files and temporary files directory, delete the tables created by setUp(), and reset the database prefix. | 6 |
DrupalTestCase:: |
public static | function | Delete an assertion record by message ID. | |
DrupalTestCase:: |
protected | function | Cycles through backtrace until the first non-assertion method is found. | |
DrupalTestCase:: |
public | property | Current results of this test case. | |
DrupalWebTestCase:: |
protected | function | Creates a role with specified permissions. | |
DrupalWebTestCase:: |
protected | function | Creates a node based on default settings. | |
DrupalWebTestCase:: |
protected | function | Creates a custom content type based on default settings. | |
DrupalWebTestCase:: |
protected | function | Create a user with a given set of permissions. | |
DrupalTestCase:: |
public static | function | Converts a list of possible parameters into a stack of permutations. | |
DrupalWebTestCase:: |
function |
Constructor for DrupalWebTestCase. Overrides DrupalTestCase:: |
1 | |
DrupalWebTestCase:: |
protected | function | Compare two files based on size and file name. | |
DrupalWebTestCase:: |
protected | function | Close the cURL handler and unset the handler. | |
DrupalTestCase:: |
protected | function | Check to see if two values are not identical. | |
DrupalTestCase:: |
protected | function | Check to see if two values are not equal. | |
DrupalTestCase:: |
protected | function | Check to see if two values are identical. | |
DrupalTestCase:: |
protected | function | Check to see if two values are equal. | |
DrupalTestCase:: |
protected | function | Check to see if a value is NULL. | |
DrupalTestCase:: |
protected | function | Check to see if a value is not NULL. | |
DrupalTestCase:: |
protected | function | Check to see if a value is not false (not an empty string, 0, NULL, or FALSE). | |
DrupalTestCase:: |
protected | function | Check to see if a value is false (an empty string, 0, NULL, or FALSE). | |
DrupalWebTestCase:: |
protected | function | Check to make sure that the array of permissions are valid. | |
DrupalWebTestCase:: |
protected | function | Check for meta refresh tag and if found call drupalGet() recursively. This function looks for the http-equiv attribute to be set to "Refresh" and is case-sensitive. | |
DrupalWebTestCase:: |
protected | function | Changes the database connection to the prefixed one. | |
DrupalWebTestCase:: |
protected | function | Builds an XPath query. | |
SessionHttpsTestCase:: |
protected | function | Builds a URL for submitting a mock HTTPS request to HTTP test environments. | |
SessionHttpsTestCase:: |
protected | function | Builds a URL for submitting a mock HTTP request to HTTPS test environments. | |
DrupalWebTestCase:: |
protected | function | Asserts themed output. | |
DrupalWebTestCase:: |
protected | function | Asserts the page responds with the specified response code. | |
DrupalWebTestCase:: |
protected | function | Asserts the page did not return the specified response code. | |
DrupalWebTestCase:: |
protected | function | Asserts that the most recently sent e-mail message has the string in it. | |
DrupalWebTestCase:: |
protected | function | Asserts that the most recently sent e-mail message has the pattern in it. | |
DrupalWebTestCase:: |
protected | function | Asserts that the most recently sent e-mail message has the given value. | |
DrupalWebTestCase:: |
protected | function | Asserts that each HTML ID is used for just a single element. | |
DrupalWebTestCase:: |
protected | function | Asserts that a select option in the current page is not checked. | |
DrupalWebTestCase:: |
protected | function | Asserts that a select option in the current page is checked. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field exists with the given name or ID. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field exists in the current page with the given name and value. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field exists in the current page with the given ID and value. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field exists in the current page by the given XPath. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field doesn't exist or its value doesn't match, by XPath. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field does not exist with the given name or ID. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field does not exist with the given name and value. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field does not exist with the given ID and value. | |
DrupalWebTestCase:: |
protected | function | Asserts that a checkbox field in the current page is not checked. | |
DrupalWebTestCase:: |
protected | function | Asserts that a checkbox field in the current page is checked. | |
DrupalTestCase:: |
protected | property | Assertions thrown in that test case. | |
DrupalWebTestCase:: |
protected | property | Additional cURL options. | |
SessionHttpsTestCase:: |
public static | function | ||
SessionHttpsTestCase:: |
protected | function | ||
DrupalWebTestCase:: |
protected | function | ||
DrupalTestCase:: |
protected | property | ||
DrupalTestCase:: |
protected | property |