// Check insecure cookie is not set.
$this->assertFalse((bool)$this->getSession()->getCookie($this->insecureSessionName)); $this->assertSessionIds($this->getSession()->getCookie($this->secureSessionName), 'Session has a non-empty SID and a correct secure SID.'); $this->assertSessionIds($first_secure_session, 'The first secure session still exists.');
// Verify that empty SID cannot be used on the non-secure site.
$browser_kit_cookie_jar->set(Cookie::fromString($this->insecureSessionName . '=', $this->baseUrl)); $this->drupalGet($this->httpUrl('admin/config')); $this->assertSession()->statusCodeEquals(403);
// Remove the secure session name from the cookie jar before logging in via
// HTTP on HTTPS environments.
$browser_kit_cookie_jar->expire($this->secureSessionName);