Cleanup [dec2025] (#101)

* Cleanup excessive comments. * Remove leftovers hanging around from previous refactor * Improve test coverage
2026-06-05 22:44:17 +00:00 · 2025-12-09 01:38:02 +00:00
parent 9126c74723
commit c474bbafd6
172 changed files with 25141 additions and 52206 deletions
@@ -0,0 +1,794 @@
+package traefikoidc
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/suite"
+)
+
+// SessionBehaviourSuite tests session management behavior
+type SessionBehaviourSuite struct {
+	suite.Suite
+	logger         *Logger
+	sessionManager *SessionManager
+}
+
+func (s *SessionBehaviourSuite) SetupTest() {
+	s.logger = NewLogger("error")
+
+	var err error
+	s.sessionManager, err = NewSessionManager(
+		"test-encryption-key-32-bytes-long!!",
+		false,
+		"",
+		"",
+		0,
+		s.logger,
+	)
+	s.Require().NoError(err)
+}
+
+func (s *SessionBehaviourSuite) TearDownTest() {
+	if s.sessionManager != nil {
+		s.sessionManager.Shutdown()
+	}
+}
+
+// TestValidateSessionHealth_NilSession tests validation with nil session
+func (s *SessionBehaviourSuite) TestValidateSessionHealth_NilSession() {
+	err := s.sessionManager.ValidateSessionHealth(nil)
+	s.Error(err)
+	s.Contains(err.Error(), "session data is nil")
+}
+
+// TestValidateSessionHealth_NotAuthenticated tests validation with unauthenticated session
+func (s *SessionBehaviourSuite) TestValidateSessionHealth_NotAuthenticated() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Session is not authenticated by default
+	err = s.sessionManager.ValidateSessionHealth(session)
+	s.Error(err)
+	s.Contains(err.Error(), "session is not authenticated")
+}
+
+// TestValidateSessionHealth_AuthenticatedSession tests validation with authenticated session
+func (s *SessionBehaviourSuite) TestValidateSessionHealth_AuthenticatedSession() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set session as authenticated
+	err = session.SetAuthenticated(true)
+	s.Require().NoError(err)
+
+	// Validate health - should pass
+	err = s.sessionManager.ValidateSessionHealth(session)
+	s.NoError(err)
+}
+
+// TestValidateSessionHealth_WithValidAccessToken tests validation with valid access token
+func (s *SessionBehaviourSuite) TestValidateSessionHealth_WithValidAccessToken() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set session as authenticated
+	err = session.SetAuthenticated(true)
+	s.Require().NoError(err)
+
+	// Set a valid-format access token (opaque token format)
+	session.SetAccessToken("valid-access-token-with-sufficient-length-for-testing")
+
+	// Validate health - should pass
+	err = s.sessionManager.ValidateSessionHealth(session)
+	s.NoError(err)
+}
+
+// TestValidateSessionHealth_CorruptedAccessToken tests validation with corrupted access token
+func (s *SessionBehaviourSuite) TestValidateSessionHealth_CorruptedAccessToken() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set session as authenticated
+	err = session.SetAuthenticated(true)
+	s.Require().NoError(err)
+
+	// Manually set a corrupted access token
+	session.accessSession.Values["token"] = "__CORRUPTION_MARKER_TEST__"
+	session.accessSession.Values["compressed"] = false
+
+	// Validate health - should fail
+	err = s.sessionManager.ValidateSessionHealth(session)
+	s.Error(err)
+	s.Contains(err.Error(), "access token validation failed")
+}
+
+// TestValidateSessionHealth_PathTraversalAttempt tests detection of path traversal in session
+func (s *SessionBehaviourSuite) TestValidateSessionHealth_PathTraversalAttempt() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set session as authenticated
+	err = session.SetAuthenticated(true)
+	s.Require().NoError(err)
+
+	// Inject path traversal attempt in session value
+	session.mainSession.Values["malicious"] = "../../../etc/passwd"
+
+	// Validate health - should detect tampering
+	err = s.sessionManager.ValidateSessionHealth(session)
+	s.Error(err)
+	s.Contains(err.Error(), "tampering detected")
+}
+
+// TestValidateSessionHealth_XSSAttempt tests detection of XSS attempt in session
+func (s *SessionBehaviourSuite) TestValidateSessionHealth_XSSAttempt() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set session as authenticated
+	err = session.SetAuthenticated(true)
+	s.Require().NoError(err)
+
+	// Inject XSS attempt in session value
+	session.mainSession.Values["xss"] = "<script>alert('xss')</script>"
+
+	// Validate health - should detect tampering
+	err = s.sessionManager.ValidateSessionHealth(session)
+	s.Error(err)
+	s.Contains(err.Error(), "tampering detected")
+}
+
+// TestValidateSessionHealth_SuspiciouslyLongValue tests detection of suspiciously long values
+func (s *SessionBehaviourSuite) TestValidateSessionHealth_SuspiciouslyLongValue() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set session as authenticated
+	err = session.SetAuthenticated(true)
+	s.Require().NoError(err)
+
+	// Inject suspiciously long value
+	session.mainSession.Values["long_value"] = strings.Repeat("x", 15000)
+
+	// Validate health - should detect suspicious value
+	err = s.sessionManager.ValidateSessionHealth(session)
+	s.Error(err)
+	s.Contains(err.Error(), "suspiciously long")
+}
+
+// TestValidateTokenFormat_EmptyToken tests validation of empty token
+func (s *SessionBehaviourSuite) TestValidateTokenFormat_EmptyToken() {
+	err := s.sessionManager.validateTokenFormat("", "access_token")
+	s.NoError(err) // Empty tokens are valid (just not present)
+}
+
+// TestValidateTokenFormat_ValidJWT tests validation of valid JWT format
+func (s *SessionBehaviourSuite) TestValidateTokenFormat_ValidJWT() {
+	// Valid JWT format (header.payload.signature)
+	jwt := "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.signature"
+	err := s.sessionManager.validateTokenFormat(jwt, "id_token")
+	s.NoError(err)
+}
+
+// TestValidateTokenFormat_InvalidJWTWithEmptyPart tests JWT with empty part
+func (s *SessionBehaviourSuite) TestValidateTokenFormat_InvalidJWTWithEmptyPart() {
+	// JWT with empty part
+	invalidJWT := "header..signature"
+	err := s.sessionManager.validateTokenFormat(invalidJWT, "id_token")
+	s.Error(err)
+	s.Contains(err.Error(), "empty part")
+}
+
+// TestValidateTokenFormat_CorruptionMarker tests detection of corruption marker
+func (s *SessionBehaviourSuite) TestValidateTokenFormat_CorruptionMarker() {
+	err := s.sessionManager.validateTokenFormat("__CORRUPTION_MARKER_TEST__", "access_token")
+	s.Error(err)
+	s.Contains(err.Error(), "corruption marker")
+}
+
+// TestPeriodicChunkCleanup tests the periodic cleanup function
+func (s *SessionBehaviourSuite) TestPeriodicChunkCleanup() {
+	// This should not panic or error
+	s.sessionManager.PeriodicChunkCleanup()
+
+	// Verify it can be called multiple times
+	s.sessionManager.PeriodicChunkCleanup()
+	s.sessionManager.PeriodicChunkCleanup()
+}
+
+// TestPeriodicChunkCleanup_WithCanceledContext tests cleanup with canceled context
+func (s *SessionBehaviourSuite) TestPeriodicChunkCleanup_WithCanceledContext() {
+	// Cancel the context
+	s.sessionManager.cancel()
+
+	// Should return early without panicking
+	s.sessionManager.PeriodicChunkCleanup()
+}
+
+// TestGetSessionStats tests session statistics retrieval
+func (s *SessionBehaviourSuite) TestGetSessionStats() {
+	stats := s.sessionManager.GetSessionStats()
+
+	s.NotNil(stats)
+	s.Contains(stats, "active_sessions")
+	s.Contains(stats, "pool_hits")
+	s.Contains(stats, "pool_misses")
+}
+
+// TestGetSessionMetrics tests session metrics retrieval
+func (s *SessionBehaviourSuite) TestGetSessionMetrics() {
+	metrics := s.sessionManager.GetSessionMetrics()
+
+	s.NotNil(metrics)
+	s.Equal("CookieStore", metrics["session_manager_type"])
+	s.Contains(metrics, "force_https")
+	s.Contains(metrics, "absolute_timeout_hours")
+	s.Contains(metrics, "max_cookie_size")
+	s.Contains(metrics, "has_encryption")
+}
+
+// TestEnhanceSessionSecurity_NilOptions tests enhancing nil options
+func (s *SessionBehaviourSuite) TestEnhanceSessionSecurity_NilOptions() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	options := s.sessionManager.EnhanceSessionSecurity(nil, req)
+
+	s.NotNil(options)
+	s.True(options.HttpOnly)
+	s.Equal("/", options.Path)
+}
+
+// TestEnhanceSessionSecurity_WithHTTPS tests enhancing with HTTPS request
+func (s *SessionBehaviourSuite) TestEnhanceSessionSecurity_WithHTTPS() {
+	req := httptest.NewRequest(http.MethodGet, "https://example.com/test", nil)
+	req.Header.Set("X-Forwarded-Proto", "https")
+
+	options := s.sessionManager.EnhanceSessionSecurity(nil, req)
+
+	s.True(options.Secure)
+	s.Equal(http.SameSiteLaxMode, options.SameSite)
+}
+
+// TestEnhanceSessionSecurity_MissingUserAgent tests handling of missing User-Agent
+func (s *SessionBehaviourSuite) TestEnhanceSessionSecurity_MissingUserAgent() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+	// Explicitly remove User-Agent
+	req.Header.Del("User-Agent")
+
+	options := s.sessionManager.EnhanceSessionSecurity(nil, req)
+
+	// Should have reduced MaxAge for suspicious requests
+	s.NotNil(options)
+}
+
+// TestCleanupOldCookies tests cookie cleanup
+func (s *SessionBehaviourSuite) TestCleanupOldCookies() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+	req.Header.Set("Host", "example.com")
+	rw := httptest.NewRecorder()
+
+	// Add some cookies that match the prefix
+	req.AddCookie(&http.Cookie{Name: "_oidc_raczylo_m", Value: "test"})
+	req.AddCookie(&http.Cookie{Name: "_oidc_raczylo_a", Value: "test"})
+
+	// Should not panic
+	s.sessionManager.CleanupOldCookies(rw, req)
+}
+
+// TestSessionData_DirtyTracking tests dirty flag tracking
+func (s *SessionBehaviourSuite) TestSessionData_DirtyTracking() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Initially not dirty (fresh session from pool)
+	s.False(session.IsDirty())
+
+	// Mark dirty
+	session.MarkDirty()
+	s.True(session.IsDirty())
+
+	// Reset should clear dirty flag
+	session.Reset()
+	s.False(session.IsDirty())
+}
+
+// TestSessionData_SetEmail tests email setter with dirty tracking
+func (s *SessionBehaviourSuite) TestSessionData_SetEmail() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set email
+	session.SetEmail("test@example.com")
+	s.Equal("test@example.com", session.GetEmail())
+	s.True(session.IsDirty())
+}
+
+// TestSessionData_SetCSRF tests CSRF setter with dirty tracking
+func (s *SessionBehaviourSuite) TestSessionData_SetCSRF() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set CSRF
+	session.SetCSRF("csrf-token-value")
+	s.Equal("csrf-token-value", session.GetCSRF())
+	s.True(session.IsDirty())
+
+	// Setting same value should not trigger dirty again
+	session.dirty = false
+	session.SetCSRF("csrf-token-value")
+	s.False(session.IsDirty())
+}
+
+// TestSessionData_SetNonce tests nonce setter with dirty tracking
+func (s *SessionBehaviourSuite) TestSessionData_SetNonce() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set nonce
+	session.SetNonce("nonce-value")
+	s.Equal("nonce-value", session.GetNonce())
+	s.True(session.IsDirty())
+}
+
+// TestSessionData_SetCodeVerifier tests code verifier setter
+func (s *SessionBehaviourSuite) TestSessionData_SetCodeVerifier() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set code verifier
+	session.SetCodeVerifier("pkce-code-verifier")
+	s.Equal("pkce-code-verifier", session.GetCodeVerifier())
+	s.True(session.IsDirty())
+}
+
+// TestSessionData_SetIncomingPath tests incoming path setter
+func (s *SessionBehaviourSuite) TestSessionData_SetIncomingPath() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set incoming path
+	session.SetIncomingPath("/original/path?query=value")
+	s.Equal("/original/path?query=value", session.GetIncomingPath())
+	s.True(session.IsDirty())
+}
+
+// TestSessionData_RedirectCount tests redirect count operations
+func (s *SessionBehaviourSuite) TestSessionData_RedirectCount() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Initial count should be 0
+	s.Equal(0, session.GetRedirectCount())
+
+	// Increment
+	session.IncrementRedirectCount()
+	s.Equal(1, session.GetRedirectCount())
+
+	session.IncrementRedirectCount()
+	s.Equal(2, session.GetRedirectCount())
+
+	// Reset
+	session.ResetRedirectCount()
+	s.Equal(0, session.GetRedirectCount())
+}
+
+// TestSessionData_SetAccessToken tests access token storage
+func (s *SessionBehaviourSuite) TestSessionData_SetAccessToken() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set a valid opaque access token
+	token := "opaque-access-token-with-sufficient-length-for-testing"
+	session.SetAccessToken(token)
+
+	// Get the token back
+	retrieved := session.GetAccessToken()
+	s.Equal(token, retrieved)
+}
+
+// TestSessionData_SetAccessToken_InvalidFormat tests rejection of invalid token format
+func (s *SessionBehaviourSuite) TestSessionData_SetAccessToken_InvalidFormat() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set a token with invalid format (exactly 1 dot is invalid)
+	session.SetAccessToken("invalid.token")
+
+	// Should be rejected
+	retrieved := session.GetAccessToken()
+	s.Empty(retrieved)
+}
+
+// TestSessionData_SetAccessToken_TooShortOpaque tests rejection of too short opaque token
+func (s *SessionBehaviourSuite) TestSessionData_SetAccessToken_TooShortOpaque() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set a very short opaque token (less than 20 chars)
+	session.SetAccessToken("short")
+
+	// Should be rejected
+	retrieved := session.GetAccessToken()
+	s.Empty(retrieved)
+}
+
+// TestSessionData_SetIDToken_ValidJWT tests ID token storage with valid JWT
+func (s *SessionBehaviourSuite) TestSessionData_SetIDToken_ValidJWT() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set a valid JWT format ID token
+	token := "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.signature"
+	session.SetIDToken(token)
+
+	// The ID token should be stored - verify it directly from the session
+	// since GetIDToken uses ChunkManager which may apply additional validation
+	storedToken, _ := session.idTokenSession.Values["token"].(string)
+	s.NotEmpty(storedToken)
+	s.True(session.IsDirty())
+}
+
+// TestSessionData_SetIDToken_InvalidFormat tests rejection of invalid ID token format
+func (s *SessionBehaviourSuite) TestSessionData_SetIDToken_InvalidFormat() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set a non-JWT format (ID tokens must be JWT)
+	session.SetIDToken("not-a-jwt-token")
+
+	// Should be rejected
+	retrieved := session.GetIDToken()
+	s.Empty(retrieved)
+}
+
+// TestSessionData_SetRefreshToken tests refresh token storage
+func (s *SessionBehaviourSuite) TestSessionData_SetRefreshToken() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Set refresh token (opaque format is valid)
+	token := "refresh-token-opaque-format-value"
+	session.SetRefreshToken(token)
+
+	// Get the token back
+	retrieved := session.GetRefreshToken()
+	s.Equal(token, retrieved)
+}
+
+// TestSessionData_SetRefreshToken_TooLarge tests rejection of too large refresh token
+func (s *SessionBehaviourSuite) TestSessionData_SetRefreshToken_TooLarge() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Create a very large token (over 50KB)
+	largeToken := strings.Repeat("x", 60*1024)
+	session.SetRefreshToken(largeToken)
+
+	// Should be rejected
+	retrieved := session.GetRefreshToken()
+	s.Empty(retrieved)
+}
+
+// TestSessionData_GetRefreshTokenIssuedAt tests refresh token issued timestamp
+func (s *SessionBehaviourSuite) TestSessionData_GetRefreshTokenIssuedAt() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Before setting refresh token, issued_at should be zero
+	issuedAt := session.GetRefreshTokenIssuedAt()
+	s.True(issuedAt.IsZero())
+
+	// Set refresh token (this sets issued_at)
+	session.SetRefreshToken("refresh-token-value-here")
+
+	// Now issued_at should be set
+	issuedAt = session.GetRefreshTokenIssuedAt()
+	s.False(issuedAt.IsZero())
+	s.True(time.Since(issuedAt) < 5*time.Second) // Should be very recent
+}
+
+// TestSessionData_Clear tests session clearing
+func (s *SessionBehaviourSuite) TestSessionData_Clear() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+	rw := httptest.NewRecorder()
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+
+	// Set some data
+	err = session.SetAuthenticated(true)
+	s.Require().NoError(err)
+	session.SetEmail("test@example.com")
+	session.SetCSRF("csrf-token")
+
+	// Clear session
+	err = session.Clear(req, rw)
+	s.NoError(err)
+
+	// After clear, session is returned to pool, so we shouldn't use it
+}
+
+// TestSessionData_Save tests session saving
+func (s *SessionBehaviourSuite) TestSessionData_Save() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+	rw := httptest.NewRecorder()
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+	defer session.returnToPoolSafely()
+
+	// Modify session
+	session.SetEmail("test@example.com")
+	s.True(session.IsDirty())
+
+	// Save session
+	err = session.Save(req, rw)
+	s.NoError(err)
+
+	// After save, dirty flag should be cleared
+	s.False(session.IsDirty())
+
+	// Response should have cookies
+	cookies := rw.Result().Cookies()
+	s.NotEmpty(cookies)
+}
+
+// TestSessionData_ReturnToPool tests returning session to pool
+func (s *SessionBehaviourSuite) TestSessionData_ReturnToPool() {
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+	session, err := s.sessionManager.GetSession(req)
+	s.Require().NoError(err)
+
+	// Initially in use
+	s.True(session.inUse)
+
+	// Return to pool safely
+	session.returnToPoolSafely()
+
+	// Should no longer be in use
+	s.False(session.inUse)
+}
+
+// TestTokenCompression tests token compression functionality
+func (s *SessionBehaviourSuite) TestTokenCompression() {
+	// A typical JWT token that could benefit from compression
+	token := "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InRlc3Qta2V5LWlkIn0.eyJpc3MiOiJodHRwczovL3Rlc3QtaXNzdWVyLmNvbSIsInN1YiI6InRlc3Qtc3ViamVjdCIsImF1ZCI6InRlc3QtY2xpZW50LWlkIiwiZXhwIjoxNzAyNDE2MDAwLCJpYXQiOjE3MDI0MTI0MDAsIm5vbmNlIjoidGVzdC1ub25jZSIsImVtYWlsIjoidXNlckBleGFtcGxlLmNvbSJ9.signature_data_here"
+
+	compressed := compressToken(token)
+
+	// Decompress and verify
+	decompressed := decompressToken(compressed)
+	s.Equal(token, decompressed)
+}
+
+// TestTokenCompression_EmptyToken tests compression of empty token
+func (s *SessionBehaviourSuite) TestTokenCompression_EmptyToken() {
+	compressed := compressToken("")
+	s.Empty(compressed)
+
+	decompressed := decompressToken("")
+	s.Empty(decompressed)
+}
+
+// TestTokenCompression_InvalidFormat tests compression of non-JWT token
+func (s *SessionBehaviourSuite) TestTokenCompression_InvalidFormat() {
+	// Token without proper JWT format (wrong number of dots)
+	token := "not-a-jwt"
+	compressed := compressToken(token)
+
+	// Should return original (not compressed)
+	s.Equal(token, compressed)
+}
+
+// TestSplitIntoChunks tests chunk splitting functionality
+func (s *SessionBehaviourSuite) TestSplitIntoChunks() {
+	// Test with a string that needs splitting
+	data := strings.Repeat("x", 3000)
+	chunks := splitIntoChunks(data, 1000)
+
+	s.Equal(3, len(chunks))
+	s.Equal(1000, len(chunks[0]))
+	s.Equal(1000, len(chunks[1]))
+	s.Equal(1000, len(chunks[2]))
+
+	// Verify reassembly
+	reassembled := strings.Join(chunks, "")
+	s.Equal(data, reassembled)
+}
+
+// TestSplitIntoChunks_SmallData tests chunk splitting with data smaller than chunk size
+func (s *SessionBehaviourSuite) TestSplitIntoChunks_SmallData() {
+	data := "small"
+	chunks := splitIntoChunks(data, 1000)
+
+	s.Equal(1, len(chunks))
+	s.Equal(data, chunks[0])
+}
+
+// TestValidateChunkSize tests chunk size validation
+func (s *SessionBehaviourSuite) TestValidateChunkSize() {
+	// Small chunk should be valid
+	s.True(validateChunkSize("small_chunk_data"))
+
+	// Very large chunk should be invalid
+	largeChunk := strings.Repeat("x", 5000)
+	s.False(validateChunkSize(largeChunk))
+}
+
+// TestIsCorruptionMarker tests corruption marker detection
+func (s *SessionBehaviourSuite) TestIsCorruptionMarker() {
+	// Known corruption markers
+	s.True(isCorruptionMarker("__CORRUPTION_MARKER_TEST__"))
+	s.True(isCorruptionMarker("__INVALID_BASE64_DATA__"))
+	s.True(isCorruptionMarker("<<<CORRUPTED>>>"))
+
+	// Normal data
+	s.False(isCorruptionMarker("normal-data"))
+	s.False(isCorruptionMarker("eyJhbGciOiJSUzI1NiJ9"))
+	s.False(isCorruptionMarker(""))
+
+	// Data with special characters (in long strings)
+	s.True(isCorruptionMarker("long-string-with!special@chars"))
+}
+
+// TestSessionManager_Shutdown tests graceful shutdown
+func (s *SessionBehaviourSuite) TestSessionManager_Shutdown() {
+	// Create a new session manager for this test
+	sm, err := NewSessionManager(
+		"test-encryption-key-32-bytes-long!!",
+		false,
+		"",
+		"",
+		0,
+		s.logger,
+	)
+	s.Require().NoError(err)
+
+	// Shutdown should complete without error
+	err = sm.Shutdown()
+	s.NoError(err)
+
+	// Second shutdown should also be safe (idempotent)
+	err = sm.Shutdown()
+	s.NoError(err)
+}
+
+// TestCookieNameHelpers tests cookie name helper methods
+func (s *SessionBehaviourSuite) TestCookieNameHelpers() {
+	s.Equal("_oidc_raczylo_m", s.sessionManager.mainCookieName())
+	s.Equal("_oidc_raczylo_a", s.sessionManager.accessTokenCookieName())
+	s.Equal("_oidc_raczylo_r", s.sessionManager.refreshTokenCookieName())
+	s.Equal("_oidc_raczylo_id", s.sessionManager.idTokenCookieName())
+}
+
+// TestSessionManager_CustomCookiePrefix tests custom cookie prefix
+func (s *SessionBehaviourSuite) TestSessionManager_CustomCookiePrefix() {
+	customSM, err := NewSessionManager(
+		"test-encryption-key-32-bytes-long!!",
+		false,
+		"",
+		"custom_prefix_",
+		0,
+		s.logger,
+	)
+	s.Require().NoError(err)
+	defer customSM.Shutdown()
+
+	s.Equal("custom_prefix_m", customSM.mainCookieName())
+	s.Equal("custom_prefix_a", customSM.accessTokenCookieName())
+	s.Equal("custom_prefix_r", customSM.refreshTokenCookieName())
+	s.Equal("custom_prefix_id", customSM.idTokenCookieName())
+}
+
+// TestSessionManager_ShortEncryptionKey tests rejection of short encryption key
+func (s *SessionBehaviourSuite) TestSessionManager_ShortEncryptionKey() {
+	_, err := NewSessionManager(
+		"short", // Too short
+		false,
+		"",
+		"",
+		0,
+		s.logger,
+	)
+	s.Error(err)
+	s.Contains(err.Error(), "encryption key must be at least")
+}
+
+// TestGenerateSecureRandomString tests secure random string generation
+func (s *SessionBehaviourSuite) TestGenerateSecureRandomString() {
+	// Generate two random strings
+	str1, err := generateSecureRandomString(32)
+	s.NoError(err)
+	s.Equal(64, len(str1)) // Hex encoding doubles length
+
+	str2, err := generateSecureRandomString(32)
+	s.NoError(err)
+	s.Equal(64, len(str2))
+
+	// They should be different
+	s.NotEqual(str1, str2)
+}
+
+// TestConstantTimeStringCompare tests constant-time string comparison
+func (s *SessionBehaviourSuite) TestConstantTimeStringCompare() {
+	s.True(constantTimeStringCompare("hello", "hello"))
+	s.False(constantTimeStringCompare("hello", "world"))
+	s.False(constantTimeStringCompare("hello", "hell"))
+	s.False(constantTimeStringCompare("", "hello"))
+	s.True(constantTimeStringCompare("", ""))
+}
+
+func TestSessionBehaviourSuite(t *testing.T) {
+	suite.Run(t, new(SessionBehaviourSuite))
+}