19 files changed, 1017 insertions, 207 deletions
diff --git a/tests/session/append_sid_test.php b/tests/session/append_sid_test.php
index ce7bf71215..2a1d94514f 100644
--- a/tests/session/append_sid_test.php
+++ b/tests/session/append_sid_test.php
@@ -1,9 +1,13 @@
 <?php
 /**
 *
-* @package testing
-* @copyright (c) 2011 phpBB Group
-* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
 *
 */
 
@@ -45,6 +49,10 @@ class phpbb_session_append_sid_test extends phpbb_test_case
 	*/
 	public function test_append_sid($url, $params, $is_amp, $session_id, $expected, $description)
 	{
+		global $phpbb_dispatcher;
+
+		$phpbb_dispatcher = new phpbb_mock_event_dispatcher;
 		$this->assertEquals($expected, append_sid($url, $params, $is_amp, $session_id));
 	}
 }
+
diff --git a/tests/session/check_ban_test.php b/tests/session/check_ban_test.php
new file mode 100644
index 0000000000..561b7faf49
--- /dev/null
+++ b/tests/session/check_ban_test.php
@@ -0,0 +1,82 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php';
+
+class phpbb_session_check_ban_test extends phpbb_session_test_case
+{
+	protected $user_id = 4;
+	protected $key_id = 4;
+	protected $session;
+	protected $backup_cache;
+
+	public function getDataSet()
+	{
+		return $this->createXMLDataSet(dirname(__FILE__) . '/fixtures/sessions_banlist.xml');
+	}
+
+	static function check_banned_data()
+	{
+		return array(
+		    array('All false values, should not be banned',
+				 false, false, false, false, /* should be banned? -> */ false),
+			array('Matching values in the database, should be banned',
+				 4, '127.0.0.1', 'bar@example.org', true, /* should be banned? -> */ true),
+			array('IP Banned, should be banned',
+			     false, '127.1.1.1', false, false, /* should be banned? -> */ true),
+		);
+	}
+
+	public function setUp()
+	{
+		parent::setUp();
+		// Get session here so that config is mocked correctly
+		$this->session = $this->session_factory->get_session($this->db);
+		global $cache, $config, $phpbb_root_path, $phpEx;
+		$this->backup_cache = $cache;
+		// Change the global cache object for this test because
+		// the mock cache object does not hit the database as is needed
+		// for this test.
+		$cache = new \phpbb\cache\service(
+			new \phpbb\cache\driver\file(),
+			$config,
+			$this->db,
+			$phpbb_root_path,
+			$phpEx
+		);
+	}
+
+	public function tearDown()
+	{
+		parent::tearDown();
+		// Set cache back to what it was before the test changed it
+		global $cache;
+		$cache = $this->backup_cache;
+	}
+
+	/** @dataProvider check_banned_data */
+	public function test_check_is_banned($test_msg, $user_id, $user_ips, $user_email, $return, $should_be_banned)
+	{
+		try
+		{
+			$is_banned = $this->session->check_ban($user_id, $user_ips, $user_email, $return);
+		}
+		catch (PHPUnit_Framework_Error_Notice $e)
+		{
+			// User error was triggered, user must have been banned
+			$is_banned = true;
+		}
+
+		$this->assertEquals($should_be_banned, $is_banned, $test_msg);
+	}
+}
diff --git a/tests/session/check_isvalid_test.php b/tests/session/check_isvalid_test.php
new file mode 100644
index 0000000000..90554bfe5f
--- /dev/null
+++ b/tests/session/check_isvalid_test.php
@@ -0,0 +1,65 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php';
+
+class phpbb_session_check_isvalid_test extends phpbb_session_test_case
+{
+	public function getDataSet()
+	{
+		return $this->createXMLDataSet(dirname(__FILE__) . '/fixtures/sessions_full.xml');
+	}
+
+	protected function access_with($session_id, $user_id, $user_agent, $ip)
+	{
+		$this->session_factory->merge_test_data($session_id, $user_id, $user_agent, $ip);
+
+		$session = $this->session_factory->get_session($this->db);
+		$session->page = array('page' => 'page', 'forum' => 0);
+
+		$session->session_begin();
+		$this->session_factory->check($this);
+		return $session;
+	}
+
+	public function test_session_valid_session_exists()
+	{
+		$session = $this->access_with('bar_session000000000000000000000', '4', 'user agent', '127.0.0.1');
+		$session->check_cookies($this, array());
+
+		$this->check_sessions_equals(array(
+				array('session_id' => 'anon_session00000000000000000000', 'session_user_id' => 1),
+				array('session_id' => 'bar_session000000000000000000000', 'session_user_id' => 4),
+			),
+			'If a request comes with a valid session id with matching user agent and IP, no new session should be created.'
+		);
+	}
+
+	public function test_session_invalid_make_new_annon_session()
+	{
+		$session = $this->access_with('anon_session00000000000000000000', '4', 'user agent', '127.0.0.1');
+		$session->check_cookies($this, array(
+			'u' => array('1', null),
+			'k' => array(null, null),
+			'sid' => array($session->session_id, null),
+		));
+
+		$this->check_sessions_equals(array(
+				array('session_id' => $session->session_id, 'session_user_id' => 1), // use generated SID
+				array('session_id' => 'bar_session000000000000000000000', 'session_user_id' => 4),
+			),
+			'If a request comes with a valid session id and IP but different user id and user agent,
+				 a new anonymous session is created and the session matching the supplied session id is deleted.'
+		);
+	}
+}
diff --git a/tests/session/continue_test.php b/tests/session/continue_test.php
deleted file mode 100644
index c4f7f8d75b..0000000000
--- a/tests/session/continue_test.php
+++ /dev/null
@@ -1,121 +0,0 @@
-<?php
-/**
-*
-* @package testing
-* @copyright (c) 2011 phpBB Group
-* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
-*
-*/
-
-require_once dirname(__FILE__) . '/../mock/cache.php';
-require_once dirname(__FILE__) . '/testable_factory.php';
-
-class phpbb_session_continue_test extends phpbb_database_test_case
-{
-	public function getDataSet()
-	{
-		return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/sessions_full.xml');
-	}
-
-	static public function session_begin_attempts()
-	{
-		// The session_id field is defined as CHAR(32) in the database schema.
-		// Thus the data we put in session_id fields has to have a length of 32 characters on stricter DBMSes.
-		// Thus we fill those strings up with zeroes until they have a string length of 32.
-
-		return array(
-			array(
-				'bar_session000000000000000000000', '4', 'user agent', '127.0.0.1',
-				array(
-					array('session_id' => 'anon_session00000000000000000000', 'session_user_id' => 1),
-					array('session_id' => 'bar_session000000000000000000000', 'session_user_id' => 4),
-				),
-				array(),
-				'If a request comes with a valid session id with matching user agent and IP, no new session should be created.',
-			),
-			array(
-				'anon_session00000000000000000000', '4', 'user agent', '127.0.0.1',
-				array(
-					array('session_id' => '__new_session_id__', 'session_user_id' => 1), // use generated SID
-					array('session_id' => 'bar_session000000000000000000000', 'session_user_id' => 4),
-				),
-				array(
-					'u' => array('1', null),
-					'k' => array(null, null),
-					'sid' => array('__new_session_id__', null),
-				),
-				'If a request comes with a valid session id and IP but different user id and user agent, a new anonymous session is created and the session matching the supplied session id is deleted.',
-			),
-		);
-	}
-
-	/**
-	* @dataProvider session_begin_attempts
-	*/
-	public function test_session_begin_valid_session($session_id, $user_id, $user_agent, $ip, $expected_sessions, $expected_cookies, $message)
-	{
-		$db = $this->new_dbal();
-		$session_factory = new phpbb_session_testable_factory;
-		$session_factory->set_cookies(array(
-			'_sid' => $session_id,
-			'_u' => $user_id,
-		));
-		$session_factory->merge_config_data(array(
-			'session_length' => time(), // need to do this to allow sessions started at time 0
-		));
-		$session_factory->merge_server_data(array(
-			'HTTP_USER_AGENT' => $user_agent,
-			'REMOTE_ADDR' => $ip,
-		));
-
-		$session = $session_factory->get_session($db);
-		$session->page = array('page' => 'page', 'forum' => 0);
-
-		$session->session_begin();
-
-		$sql = 'SELECT session_id, session_user_id
-			FROM phpbb_sessions
-			ORDER BY session_user_id';
-
-		$expected_sessions = $this->replace_session($expected_sessions, $session->session_id);
-		$expected_cookies = $this->replace_session($expected_cookies, $session->session_id);
-
-		$this->assertSqlResultEquals(
-			$expected_sessions,
-			$sql,
-			$message
-		);
-
-		$session->check_cookies($this, $expected_cookies);
-
-		$session_factory->check($this);
-	}
-
-	/**
-	* Replaces recursively the value __new_session_id__ with the given session
-	* id.
-	*
-	* @param array $array An array of data
-	* @param string $session_id The new session id to use instead of the
-	*                           placeholder.
-	* @return array The input array with all occurances of __new_session_id__
-	*               replaced.
-	*/
-	public function replace_session($array, $session_id)
-	{
-		foreach ($array as $key => &$value)
-		{
-			if ($value === '__new_session_id__')
-			{
-				$value = $session_id;
-			}
-
-			if (is_array($value))
-			{
-				$value = $this->replace_session($value, $session_id);
-			}
-		}
-
-		return $array;
-	}
-}
diff --git a/tests/session/create_test.php b/tests/session/create_test.php
new file mode 100644
index 0000000000..105c76eb7f
--- /dev/null
+++ b/tests/session/create_test.php
@@ -0,0 +1,47 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php';
+
+class phpbb_session_create_test extends phpbb_session_test_case
+{
+	public function getDataSet()
+	{
+		return $this->createXMLDataSet(dirname(__FILE__) . '/fixtures/sessions_full.xml');
+	}
+
+	static function bot($bot_agent, $user_id, $bot_ip)
+	{
+		return array(array(
+			'bot_agent' => $bot_agent,
+			'user_id' => $user_id,
+			'bot_ip' => $bot_ip,
+		));
+	}
+
+	function test_bot_session()
+	{
+		$output = $this->session_facade->session_create(
+			false,
+			false,
+			false,
+			false,
+			array(),
+			'user agent',
+			'127.0.0.1',
+			self::bot('user agent', 13, '127.0.0.1'),
+			''
+		);
+		$this->assertEquals(true, $output->data['is_bot'], 'should be a bot');
+	}
+}
diff --git a/tests/session/creation_test.php b/tests/session/creation_test.php
deleted file mode 100644
index bef52c6554..0000000000
--- a/tests/session/creation_test.php
+++ /dev/null
@@ -1,57 +0,0 @@
-<?php
-/**
-*
-* @package testing
-* @copyright (c) 2011 phpBB Group
-* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
-*
-*/
-
-require_once dirname(__FILE__) . '/../mock/cache.php';
-require_once dirname(__FILE__) . '/testable_factory.php';
-
-class phpbb_session_creation_test extends phpbb_database_test_case
-{
-	public function getDataSet()
-	{
-		return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/sessions_empty.xml');
-	}
-
-	// also see security/extract_current_page.php
-
-	public function test_login_session_create()
-	{
-		$db = $this->new_dbal();
-		$session_factory = new phpbb_session_testable_factory;
-
-		$session = $session_factory->get_session($db);
-		$session->page = array('page' => 'page', 'forum' => 0);
-
-		$session->session_create(3);
-
-		$sql = 'SELECT session_user_id
-			FROM phpbb_sessions';
-
-		$this->assertSqlResultEquals(
-			array(array('session_user_id' => 3)),
-			$sql,
-			'Check if exactly one session for user id 3 was created'
-		);
-
-		$one_year_in_seconds = 365 * 24 * 60 * 60;
-		$cookie_expire = $session->time_now + $one_year_in_seconds;
-
-		$session->check_cookies($this, array(
-			'u' => array(null, $cookie_expire),
-			'k' => array(null, $cookie_expire),
-			'sid' => array($session->session_id, $cookie_expire),
-		));
-
-		global $SID, $_SID;
-		$this->assertEquals($session->session_id, $_SID);
-		$this->assertEquals('?sid=' . $session->session_id, $SID);
-
-		$session_factory->check($this);
-	}
-}
-
diff --git a/tests/session/extract_hostname_test.php b/tests/session/extract_hostname_test.php
new file mode 100644
index 0000000000..3a9d498007
--- /dev/null
+++ b/tests/session/extract_hostname_test.php
@@ -0,0 +1,55 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php';
+
+class phpbb_session_extract_hostname_test extends phpbb_session_test_case
+{
+	public function getDataSet()
+	{
+		return $this->createXMLDataSet(dirname(__FILE__) . '/fixtures/sessions_empty.xml');
+	}
+
+	static public function extract_current_hostname_data()
+	{
+		return array (
+			// [Input] $host, $server_name_config, $cookie_domain_config, [Expected] $output
+			// If host is ip use that
+			//    ipv4
+			array('127.0.0.1', 'skipped.org', 'skipped.org', '127.0.0.1'),
+			//    ipv6
+			array('::1', 'skipped.org', 'skipped.org', ':'),
+			array('2002::3235:51f9', 'skipped.org', 'skipped.org', '2002::3235'),
+			// If no host but server name matches cookie_domain use that
+			array('', 'example.org', 'example.org', 'example.org'),
+			// If there is a host uri use that
+			array('example.org', false, false, 'example.org'),
+			// 'best approach' guessing
+			array('', 'example.org', false, 'example.org'),
+			array('', false, '127.0.0.1', '127.0.0.1'),
+			array('', false, false, php_uname('n')),
+		);
+	}
+
+	/** @dataProvider extract_current_hostname_data */
+	function test_extract_current_hostname($host, $server_name_config, $cookie_domain_config, $expected)
+	{
+		$output = $this->session_facade->extract_current_hostname(
+			$host,
+			$server_name_config,
+			$cookie_domain_config
+		);
+
+		$this->assertEquals($expected, $output);
+	}
+}
diff --git a/tests/session/extract_page_test.php b/tests/session/extract_page_test.php
new file mode 100644
index 0000000000..f314d35f87
--- /dev/null
+++ b/tests/session/extract_page_test.php
@@ -0,0 +1,169 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php';
+
+class phpbb_session_extract_page_test extends phpbb_session_test_case
+{
+	public function getDataSet()
+	{
+		return $this->createXMLDataSet(dirname(__FILE__) . '/fixtures/sessions_empty.xml');
+	}
+
+	static public function extract_current_page_data()
+	{
+		return array(
+			array(
+				'./',
+				'/phpBB/index.php',
+				'',
+				'/phpBB/',
+				'/',
+				array(
+					'page_name' => 'index.php',
+					'page_dir' => '',
+					'query_string' => '',
+					'script_path' => '/phpBB/',
+					'root_script_path' => '/phpBB/',
+					'page' => 'index.php',
+					'forum' => 0,
+				),
+			),
+			array(
+				'./',
+				'/phpBB/ucp.php',
+				'mode=login',
+				'/phpBB/',
+				'/',
+				array(
+					'page_name' => 'ucp.php',
+					'page_dir' => '',
+					'query_string' => 'mode=login',
+					'script_path' => '/phpBB/',
+					'root_script_path' => '/phpBB/',
+					'page' => 'ucp.php?mode=login',
+					'forum' => 0,
+				),
+			),
+			array(
+				'./',
+				'/phpBB/ucp.php',
+				'mode=register',
+				'/phpBB/',
+				'/',
+				array(
+					'page_name' => 'ucp.php',
+					'page_dir' => '',
+					'query_string' => 'mode=register',
+					'script_path' => '/phpBB/',
+					'root_script_path' => '/phpBB/',
+					'page' => 'ucp.php?mode=register',
+					'forum' => 0,
+				),
+			),
+			array(
+				'./',
+				'/phpBB/ucp.php',
+				'mode=register',
+				'/phpBB/',
+				'/',
+				array(
+					'page_name' => 'ucp.php',
+					'page_dir' => '',
+					'query_string' => 'mode=register',
+					'script_path' => '/phpBB/',
+					'root_script_path' => '/phpBB/',
+					'page' => 'ucp.php?mode=register',
+					'forum' => 0,
+				),
+			),
+			array(
+				'./../',
+				'/phpBB/adm/index.php',
+				'sid=e7215d958cdd41a6fc13509bebe53e42',
+				'/phpBB/adm/',
+				'/',
+				array(
+					'page_name' => 'index.php',
+					//'page_dir' => 'adm',
+					// ^-- Ignored because .. returns different directory in live vs testing
+					'query_string' => '',
+					'script_path' => '/phpBB/adm/',
+					//'root_script_path' => '/phpBB/',
+					//'page' => 'adm/index.php',
+					'forum' => 0,
+				),
+			),
+			array(
+				'./',
+				'/phpBB/adm/app.php',
+				'page=1&test=2',
+				'/phpBB/',
+				'/foo/bar',
+				array(
+					'page_name' => 'app.php/foo/bar',
+					'page_dir' => '',
+					'query_string' => 'page=1&test=2',
+					'script_path' => '/phpBB/',
+					'root_script_path' => '/phpBB/',
+					'page' => 'app.php/foo/bar?page=1&test=2',
+					'forum' => 0,
+				),
+			),
+			array(
+				'./../phpBB/',
+				'/test/test.php',
+				'page=1&test=2',
+				'/test/',
+				'',
+				array(
+					'page_name' => 'test.php',
+					//'page_dir' => '',
+					'query_string' => 'page=1&test=2',
+					'script_path' => '/test/',
+					//'root_script_path' => '../phpBB/',
+					//'page' => '../test/test.php/foo/bar?page=1&test=2',
+					'forum' => 0,
+				),
+			),
+		);
+	}
+
+	/** @dataProvider extract_current_page_data */
+	function test_extract_current_page($root_path, $getScriptName, $getQueryString, $getBasePath, $getPathInfo, $expected)
+	{
+		global $symfony_request;
+
+		$symfony_request = $this->getMock("\phpbb\symfony_request", array(), array(
+			new phpbb_mock_request(),
+		));
+		$symfony_request->expects($this->any())
+			->method('getScriptName')
+			->will($this->returnValue($getScriptName));
+		$symfony_request->expects($this->any())
+			->method('getQueryString')
+			->will($this->returnValue($getQueryString));
+		$symfony_request->expects($this->any())
+			->method('getBasePath')
+			->will($this->returnValue($getBasePath));
+		$symfony_request->expects($this->any())
+			->method('getPathInfo')
+			->will($this->returnValue($getPathInfo));
+
+		$output = \phpbb\session::extract_current_page($root_path);
+
+		// This compares the result of the output.
+		// Any keys that are not in the expected array are overwritten by the output (aka not checked).
+		$this->assert_array_content_equals(array_merge($output, $expected), $output);
+	}
+}
diff --git a/tests/session/fixtures/sessions_banlist.xml b/tests/session/fixtures/sessions_banlist.xml
new file mode 100644
index 0000000000..e720e35f0a
--- /dev/null
+++ b/tests/session/fixtures/sessions_banlist.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<dataset>
+	<table name="phpbb_users">
+		<column>user_id</column>
+		<column>username_clean</column>
+		<column>user_permissions</column>
+		<column>user_sig</column>
+		<row>
+			<value>1</value>
+			<value>anonymous</value>
+			<value></value>
+			<value></value>
+		</row>
+    </table>
+    <table name="phpbb_sessions">
+		<column>session_id</column>
+		<column>session_user_id</column>
+		<column>session_ip</column>
+		<column>session_browser</column>
+		<column>session_admin</column>
+		<row>
+			<value>bar_session000000000000000000000</value>
+			<value>4</value>
+            <value>127.0.0.1</value>
+			<value>user agent</value>
+			<value>1</value>
+		</row>
+	</table>
+	<table name="phpbb_banlist">
+        <column>ban_id</column>
+        <column>ban_userid</column>
+        <column>ban_ip</column>
+        <column>ban_email</column>
+        <column>ban_start</column>
+        <column>ban_end</column>
+        <column>ban_exclude</column>
+        <column>ban_reason</column>
+        <column>ban_give_reason</column>
+        <row>
+            <value>2</value>
+            <value>4</value>
+            <value>127.0.0.1</value>
+            <value>bar@example.org</value>
+            <value>1111</value>
+            <value>0</value>
+            <value>0</value>
+            <value>HAHAHA</value>
+            <value>1</value>
+        </row>
+        <row>
+            <value>3</value>
+            <value>0</value>
+            <value>127.1.1.1</value>
+            <value></value>
+            <value>1111</value>
+            <value>0</value>
+            <value>0</value>
+            <value>HAHAHA</value>
+            <value>1</value>
+        </row>
+    </table>
+</dataset>
diff --git a/tests/session/fixtures/sessions_empty.xml b/tests/session/fixtures/sessions_empty.xml
index 0e6ddccd88..2acba58f45 100644
--- a/tests/session/fixtures/sessions_empty.xml
+++ b/tests/session/fixtures/sessions_empty.xml
@@ -5,31 +5,23 @@
 		<column>username_clean</column>
 		<column>user_permissions</column>
 		<column>user_sig</column>
-		<column>user_occ</column>
-		<column>user_interests</column>
 		<row>
 			<value>1</value>
 			<value>anonymous</value>
 			<value></value>
 			<value></value>
-			<value></value>
-			<value></value>
 		</row>
 		<row>
 			<value>3</value>
 			<value>foo</value>
 			<value></value>
 			<value></value>
-			<value></value>
-			<value></value>
 		</row>
 		<row>
 			<value>4</value>
 			<value>bar</value>
 			<value></value>
 			<value></value>
-			<value></value>
-			<value></value>
 		</row>
 	</table>
 	<table name="phpbb_sessions">
diff --git a/tests/session/fixtures/sessions_full.xml b/tests/session/fixtures/sessions_full.xml
index 509687f4d2..4fb6b9dfd4 100644
--- a/tests/session/fixtures/sessions_full.xml
+++ b/tests/session/fixtures/sessions_full.xml
@@ -5,31 +5,23 @@
 		<column>username_clean</column>
 		<column>user_permissions</column>
 		<column>user_sig</column>
-		<column>user_occ</column>
-		<column>user_interests</column>
 		<row>
 			<value>1</value>
 			<value>anonymous</value>
 			<value></value>
 			<value></value>
-			<value></value>
-			<value></value>
 		</row>
 		<row>
 			<value>3</value>
 			<value>foo</value>
 			<value></value>
 			<value></value>
-			<value></value>
-			<value></value>
 		</row>
 		<row>
 			<value>4</value>
 			<value>bar</value>
 			<value></value>
 			<value></value>
-			<value></value>
-			<value></value>
 		</row>
 	</table>
 	<table name="phpbb_sessions">
@@ -37,17 +29,20 @@
 		<column>session_user_id</column>
 		<column>session_ip</column>
 		<column>session_browser</column>
+		<column>session_admin</column>
 		<row>
 			<value>anon_session00000000000000000000</value>
 			<value>1</value>
 			<value>127.0.0.1</value>
 			<value>anonymous user agent</value>
+			<value>0</value>
 		</row>
 		<row>
 			<value>bar_session000000000000000000000</value>
 			<value>4</value>
 			<value>127.0.0.1</value>
 			<value>user agent</value>
+			<value>1</value>
 		</row>
 	</table>
 </dataset>
diff --git a/tests/session/fixtures/sessions_garbage.xml b/tests/session/fixtures/sessions_garbage.xml
new file mode 100644
index 0000000000..5eace839d0
--- /dev/null
+++ b/tests/session/fixtures/sessions_garbage.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<dataset>
+	<table name="phpbb_users">
+		<column>user_id</column>
+		<column>username_clean</column>
+		<column>user_permissions</column>
+		<column>user_sig</column>
+		<row>
+			<value>4</value>
+			<value>bar</value>
+			<value></value>
+			<value></value>
+		</row>
+	</table>
+	<table name="phpbb_sessions">
+		<column>session_id</column>
+		<column>session_user_id</column>
+		<column>session_ip</column>
+		<column>session_browser</column>
+		<column>session_admin</column>
+		<row>
+			<value>anon_session00000000000000000000</value>
+			<value>1</value>
+			<value>127.0.0.1</value>
+			<value>anonymous user agent</value>
+			<value>0</value>
+		</row>
+		<row>
+			<value>bar_session000000000000000000000</value>
+			<value>4</value>
+			<value>127.0.0.1</value>
+			<value>user agent</value>
+			<value>1</value>
+		</row>
+	</table>
+	<table name="phpbb_login_attempts">
+		<column>attempt_ip</column>
+		<column>attempt_browser</column>
+		<column>attempt_forwarded_for</column>
+		<column>attempt_time</column>
+		<column>user_id</column>
+		<column>username</column>
+		<column>username_clean</column>
+		<row>
+			<value>127.0.0.1</value>
+			<value>browser</value>
+			<value></value>
+			<value>0001</value>
+			<value>4</value>
+			<value>bar</value>
+			<value>bar</value>
+		</row>
+	</table>
+</dataset>
diff --git a/tests/session/fixtures/sessions_key.xml b/tests/session/fixtures/sessions_key.xml
new file mode 100644
index 0000000000..245f89a604
--- /dev/null
+++ b/tests/session/fixtures/sessions_key.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<dataset>
+    <table name="phpbb_sessions_keys">
+        <column>key_id</column>
+        <column>user_id</column>
+        <column>last_ip</column>
+        <column>last_login</column>
+        <row>
+            <value>a87ff679a2f3e71d9181a67b7542122c</value>
+            <value>4</value>
+            <value>127.0.0.1</value>
+            <value>0</value>
+        </row>
+    </table>
+    <table name="phpbb_sessions">
+        <column>session_id</column>
+        <column>session_user_id</column>
+        <column>session_ip</column>
+        <column>session_browser</column>
+        <row>
+            <value>bar_session000000000000000000000</value>
+            <value>4</value>
+            <value>127.0.0.1</value>
+            <value>user agent</value>
+        </row>
+    </table>
+    <table name="phpbb_users">
+        <column>user_id</column>
+        <column>username_clean</column>
+        <column>user_permissions</column>
+        <column>user_sig</column>
+        <row>
+            <value>4</value>
+            <value>bar</value>
+            <value></value>
+            <value></value>
+        </row>
+    </table>
+</dataset>
diff --git a/tests/session/garbage_collection_test.php b/tests/session/garbage_collection_test.php
new file mode 100644
index 0000000000..0fbc71dcd7
--- /dev/null
+++ b/tests/session/garbage_collection_test.php
@@ -0,0 +1,57 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php';
+
+class phpbb_session_garbage_collection_test extends phpbb_session_test_case
+{
+	public $session;
+
+	public function getDataSet()
+	{
+		return $this->createXMLDataSet(dirname(__FILE__) . '/fixtures/sessions_garbage.xml');
+	}
+
+	public function setUp()
+	{
+		parent::setUp();
+		$this->session = $this->session_factory->get_session($this->db);
+	}
+
+	public function test_cleanup_all()
+	{
+		$this->check_sessions_equals(
+			array(
+				array(
+					'session_id' => 'anon_session00000000000000000000',
+					'session_user_id' => 1,
+				),
+				array(
+					'session_id' => 'bar_session000000000000000000000',
+					'session_user_id' => 4,
+				),
+			),
+			'Before test, should have some sessions.'
+		);
+		// Set session length so it clears all
+		global $config;
+		$config['session_length'] = 0;
+		// There is an error unless the captcha plugin is set
+		$config['captcha_plugin'] = 'phpbb_captcha_nogd';
+		$this->session->session_gc();
+		$this->check_sessions_equals(
+			array(),
+			'After setting session time to 0, should remove all.'
+		);
+	}
+}
diff --git a/tests/session/session_key_test.php b/tests/session/session_key_test.php
new file mode 100644
index 0000000000..31a470615c
--- /dev/null
+++ b/tests/session/session_key_test.php
@@ -0,0 +1,55 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php';
+
+class phpbb_session_login_keys_test extends phpbb_session_test_case
+{
+	protected $user_id = 4;
+	protected $key_id = 4;
+
+	public function getDataSet()
+	{
+		return $this->createXMLDataSet(dirname(__FILE__) . '/fixtures/sessions_key.xml');
+	}
+
+	public function test_set_key_manually()
+	{
+		// With AutoLogin setup
+		$this->session_factory->merge_config_data(array('allow_autologin' => true));
+		$session = $this->session_factory->get_session($this->db);
+		// Using a user_id and key that is already in the database
+		$session->cookie_data['u'] = $this->user_id;
+		$session->cookie_data['k'] = $this->key_id;
+		// Try to access session
+		$session->session_create($this->user_id, false, $this->user_id);
+
+		$this->assertEquals($this->user_id, $session->data['user_id'], "session should automatically login");
+	}
+
+	public function test_reset_keys()
+	{
+		// With AutoLogin setup
+		$this->session_factory->merge_config_data(array('allow_autologin' => true));
+		$session = $this->session_factory->get_session($this->db);
+		// Reset of the keys for this user
+		$session->reset_login_keys($this->user_id);
+		// Using a user_id and key that was in the database (before reset)
+		$session->cookie_data['u'] = $this->user_id;
+		$session->cookie_data['k'] = $this->key_id;
+		// Try to access session
+		$session->session_create($this->user_id, false, $this->user_id);
+
+		$this->assertNotEquals($this->user_id, $session->data['user_id'], "session should be cleared");
+	}
+}
diff --git a/tests/session/testable_facade.php b/tests/session/testable_facade.php
new file mode 100644
index 0000000000..05858c8a63
--- /dev/null
+++ b/tests/session/testable_facade.php
@@ -0,0 +1,130 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+require_once dirname(__FILE__) . '/testable_factory.php';
+require_once dirname(__FILE__) . '/../../phpBB/phpbb/session.php';
+
+/**
+ * This class exists to expose session.php's functions in a more testable way.
+ *
+ * Since many functions in session.php have global variables inside the function,
+ * this exposes those functions through a testable facade that uses
+ * testable_factory's mock global variables to modify global variables used in
+ * the functions.
+ *
+ * This is using the facade pattern to provide a testable "front" to the
+ * functions in sessions.php.
+ *
+ */
+class phpbb_session_testable_facade
+{
+	protected $db;
+	protected $session_factory;
+
+	function __construct($db, $session_factory)
+	{
+		$this->db = $db;
+		$this->session_factory = $session_factory;
+	}
+
+	function extract_current_hostname(
+		$host,
+		$server_name_config,
+		$cookie_domain_config
+	)
+	{
+		$session = $this->session_factory->get_session($this->db);
+		global $config, $request;
+		$config['server_name'] = $server_name_config;
+		$config['cookie_domain'] = $cookie_domain_config;
+		$request->overwrite('SERVER_NAME', $host, \phpbb\request\request_interface::SERVER);
+		$request->overwrite('Host', $host, \phpbb\request\request_interface::SERVER);
+		// Note: There is a php_uname function used as a fallthrough
+		//       that this function doesn't override
+		return $session->extract_current_hostname();
+	}
+
+	/**
+	 *
+	 * This function has a lot of dependencies, so instead of naming them all,
+	 * just ask for overrides
+	 *
+	 * @param update_session_page Boolean of whether to set page of the session
+	 * @param config_overrides An array of overrides for the global config object
+	 * @param request_overrides An array of overrides for the global request object
+	 * @return boolean False if the user is identified, otherwise true.
+	 */
+	function session_begin(
+		$update_session_page = true,
+		$config_overrides = array(),
+		$request_overrides = array(),
+		$cookies_overrides = array()
+	)
+	{
+		$this->session_factory->merge_config_data($config_overrides);
+		$this->session_factory->merge_server_data($request_overrides);
+		$this->session_factory->set_cookies($cookies_overrides);
+		$session = $this->session_factory->get_session($this->db);
+		$session->session_begin($update_session_page);
+		return $session;
+	}
+
+	function session_create(
+		$user_id = false,
+		$set_admin = false,
+		$persist_login = false,
+		$viewonline = true,
+		array $config_overrides = array(),
+		$user_agent = 'user agent',
+		$ip_address = '127.0.0.1',
+		array $bot_overrides = array(),
+		$uri_sid = ""
+	)
+	{
+		$this->session_factory->merge_config_data($config_overrides);
+		// Bots
+		$this->session_factory->merge_cache_data(array('_bots' => $bot_overrides));
+		global $request;
+		$session = $this->session_factory->get_session($this->db);
+		$session->browser = $user_agent;
+		$session->ip = $ip_address;
+		// Uri sid
+		if ($uri_sid)
+		{
+			$_GET['sid'] = $uri_sid;
+		}
+		$session->session_create($user_id, $set_admin, $persist_login, $viewonline);
+		return $session;
+	}
+
+	function validate_referer(
+		$check_script_path,
+		$referer,
+		$host,
+		$force_server_vars,
+		$server_port,
+		$server_name,
+		$root_script_path
+	)
+	{
+		$session = $this->session_factory->get_session($this->db);
+		global $config, $request;
+		$session->referer = $referer;
+		$session->page['root_script_path'] = $root_script_path;
+		$session->host = $host;
+		$config['force_server_vars'] = $force_server_vars;
+		$config['server_name'] = $server_name;
+		$request->overwrite('SERVER_PORT', $server_port, \phpbb\request\request_interface::SERVER);
+		return $session->validate_referer($check_script_path);
+	}
+}
diff --git a/tests/session/testable_factory.php b/tests/session/testable_factory.php
index 00f79738ef..3e25286480 100644
--- a/tests/session/testable_factory.php
+++ b/tests/session/testable_factory.php
@@ -1,13 +1,18 @@
 <?php
 /**
 *
-* @package testing
-* @copyright (c) 2011 phpBB Group
-* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
 *
 */
 
-require_once dirname(__FILE__) . '/../mock/session_testable.php';
+require_once dirname(__FILE__) . '/../mock/container_builder.php';
+require_once dirname(__FILE__) . '/../mock/auth_provider.php';
 
 /**
 * This class exists to setup an instance of phpbb's session class for testing.
@@ -18,12 +23,14 @@ require_once dirname(__FILE__) . '/../mock/session_testable.php';
 */
 class phpbb_session_testable_factory
 {
+	protected $container;
 	protected $config_data;
 	protected $cache_data;
 	protected $cookies;
 
 	protected $config;
 	protected $cache;
+	protected $request;
 
 	/**
 	* Initialises the factory with a set of default config and cache values.
@@ -60,22 +67,41 @@ class phpbb_session_testable_factory
 	/**
 	* Retrieve the configured session class instance
 	*
-	* @param dbal $dbal The database connection to use for session data
+	* @param \phpbb\db\driver\driver_interface $dbal The database connection to use for session data
 	* @return phpbb_mock_session_testable A session instance
 	*/
-	public function get_session(dbal $dbal)
+	public function get_session(\phpbb\db\driver\driver_interface $dbal)
 	{
 		// set up all the global variables used by session
-		global $SID, $_SID, $db, $config, $cache;
+		global $SID, $_SID, $db, $config, $cache, $request, $phpbb_container;
+
+		$request = $this->request = new phpbb_mock_request(
+			array(),
+			array(),
+			$this->cookies,
+			$this->server_data
+		);
+		request_var(null, null, null, null, $request);
+
+		$config = $this->config = new \phpbb\config\config($this->get_config_data());
+		set_config(null, null, null, $config);
 
-		$config = $this->config = $this->get_config_data();
 		$db = $dbal;
 
 		$cache = $this->cache = new phpbb_mock_cache($this->get_cache_data());
 		$SID = $_SID = null;
 
-		$_COOKIE = $this->cookies;
-		$_SERVER = $this->server_data;
+		$phpbb_container = $this->container = new phpbb_mock_container_builder();
+		$phpbb_container->set(
+			'auth.provider.db',
+			new phpbb_mock_auth_provider()
+		);
+		$provider_collection = new \phpbb\auth\provider_collection($phpbb_container, $config);
+		$provider_collection->add('auth.provider.db');
+		$phpbb_container->set(
+			'auth.provider_collection',
+			$provider_collection
+		);
 
 		$session = new phpbb_mock_session_testable;
 		return $session;
@@ -159,6 +185,32 @@ class phpbb_session_testable_factory
 	}
 
 	/**
+	 * Set cookies, merge config and server data in one step.
+	 *
+	 * New values overwrite old ones.
+	 *
+	 * @param $session_id
+	 * @param $user_id
+	 * @param $user_agent
+	 * @param $ip
+	 * @param int $time
+	 */
+	public function merge_test_data($session_id, $user_id, $user_agent, $ip, $time = 0)
+	{
+		$this->set_cookies(array(
+			'_sid' => $session_id,
+			'_u' => $user_id,
+		));
+		$this->merge_config_data(array(
+			'session_length' => time() + $time, // need to do this to allow sessions started at time 0
+		));
+		$this->merge_server_data(array(
+			'HTTP_USER_AGENT' => $user_agent,
+			'REMOTE_ADDR' => $ip,
+		));
+	}
+
+	/**
 	* Retrieve all server variables to be passed to the session.
 	*
 	* @return array Server variables
diff --git a/tests/session/unset_admin_test.php b/tests/session/unset_admin_test.php
new file mode 100644
index 0000000000..9633d77be6
--- /dev/null
+++ b/tests/session/unset_admin_test.php
@@ -0,0 +1,52 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php';
+
+class phpbb_session_unset_admin_test extends phpbb_session_test_case
+{
+	public function getDataSet()
+	{
+		return $this->createXMLDataSet(dirname(__FILE__) . '/fixtures/sessions_full.xml');
+	}
+
+	function get_test_session()
+	{
+		return $this->session_facade->session_begin(
+			true,
+			// Config
+			array(
+				'session_length' => time(), // need to do this to allow sessions started at time 0
+			),
+			// Server
+			array(
+				'HTTP_USER_AGENT' => "user agent",
+				'REMOTE_ADDR' => "127.0.0.1",
+			),
+			// Cookies
+			array(
+				'_sid' => 'bar_session000000000000000000000',
+				'_u' => 4,
+			)
+		);
+	}
+
+	public function test_unset_admin()
+	{
+		$session = $this->get_test_session();
+		$this->assertEquals(1, $session->data['session_admin'], 'should be an admin before test starts');
+		$session->unset_admin();
+		$session = $this->get_test_session();
+		$this->assertEquals(0, $session->data['session_admin'], 'should be not be an admin after unset_admin');
+	}
+}
diff --git a/tests/session/validate_referrer_test.php b/tests/session/validate_referrer_test.php
new file mode 100644
index 0000000000..7690a89018
--- /dev/null
+++ b/tests/session/validate_referrer_test.php
@@ -0,0 +1,74 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php';
+
+class phpbb_session_validate_referrer_test extends phpbb_session_test_case
+{
+	public function getDataSet()
+	{
+		return $this->createXMLDataSet(dirname(__FILE__) . '/fixtures/sessions_empty.xml');
+	}
+
+	static function referrer_inputs()
+	{
+		$ex = "example.org";
+		$alt = "example.com";
+		return array(
+			// checkpath   referrer  host    forcevars    port servername   rootpath   pass?
+			// 0 Referrer or host wasn't collected, therefore should validate
+			array(false,  '',  $ex,  false,  80, $ex,  '', true),
+			array(false,  $ex, '',   false,  80, $ex,  '', true),
+			// 2 Referrer doesn't match host or server_name
+			array(false,  $alt, $ex,   false,  80, $ex,  '', false),
+			// 3 Everything should check out
+			array(false,  $ex, $ex,  false,    80, $ex,  '', true),
+			// 4 Check Script Path
+			array(true,  $ex, $ex,  false,    80, $ex,  '', true),
+			array(true,  "$ex/foo", $ex,  false,    80, $ex,  "/foo", true),
+			array(true,  "$ex/bar", $ex,  false,    80, $ex,  "/foo", false),
+			// 7 Port (This is not checked unless path is checked)
+			array(true,  "$ex:80/foo", "$ex:80",  false, 80, "$ex:80",  "/foo", true),
+			array(true,  "$ex:80/bar", "$ex:80",  false, 80, "$ex:80",  "/foo", false),
+			array(true,  "$ex:79/foo", "$ex:81",  false, 81, "$ex:81",  "/foo", false),
+		);
+	}
+
+	/** @dataProvider referrer_inputs */
+	function test_referrer_inputs(
+		$check_script_path,
+		$referrer,
+		$host,
+		$force_server_vars,
+		$server_port,
+		$server_name,
+		$root_script_path,
+		$pass_or_fail
+	)
+	{
+		// Referrer needs http:// because it's going to get stripped in function.
+		$referrer = $referrer ? 'http://' . $referrer : '';
+		$this->assertEquals(
+			$pass_or_fail,
+			$this->session_facade->validate_referer(
+				$check_script_path,
+				$referrer,
+				$host,
+				$force_server_vars,
+				$server_port,
+				$server_name,
+				$root_script_path
+			),
+			"referrer should" . ($pass_or_fail ? '' : "n't") . " be validated");
+	}
+}