// Verify that empty SID cannot be used on the non-secure site.
$browser_kit_cookie_jar->
set(Cookie::
fromString($this->insecureSessionName . '=',
$this->baseUrl
));
$this->
drupalGet($this->
httpUrl('admin/config'
));
$this->
assertSession()->
statusCodeEquals(403
);
// Remove the secure session name from the cookie jar before logging in via
// HTTP on HTTPS environments.
$browser_kit_cookie_jar->
expire($this->secureSessionName
);
// Test HTTP session handling by submitting the login form through http.php,
// which creates a mock HTTP request on HTTPS test environments.
$this->
loginHttp($user);
$this->
drupalGet($this->
httpUrl('admin/config'
));
$this->
assertSession()->
statusCodeEquals(200
);
$this->
assertSessionIds($this->
getSession()->
getCookie($this->insecureSessionName
), 'Session has the correct SID and an empty secure SID.'
);
// Verify that empty secure SID cannot be used on the secure site.
$browser_kit_cookie_jar->
set(Cookie::
fromString($this->secureSessionName . '=',
$this->baseUrl
));
$this->
drupalGet($this->
httpsUrl('admin/config'
));
$this->
assertSession()->
statusCodeEquals(403
);
} /**
* Log in a user via HTTP.
*
* Note that the parents $session_id and $loggedInUser is not updated.
*/