cookie ready

2026-05-13 22:34:11 +02:00
parent 8c4e664ca8
commit 1b53c1c199
16 changed files with 798 additions and 146 deletions
@@ -24,6 +24,7 @@ type Config struct {
 	PrestaShopBaseURL     string
 	PrestaShopProxyTarget string
 	PrestaShopVersion     string
+	DomainCookie          string
 	PrestaShopCookieKey   string
 	PrestaShopCookieIV    string
 	PrestaShopCookieName  string
@@ -48,6 +49,7 @@ func Load() (Config, error) {
 		PrestaShopBaseURL:     os.Getenv("PRESTASHOP_BASE_URL"),
 		PrestaShopProxyTarget: os.Getenv("PRESTASHOP_PROXY_TARGET"),
 		PrestaShopVersion:     envOr("PRESTASHOP_VERSION", "1.7.3"),
+		DomainCookie:          os.Getenv("DOMAIN_COOKIE"),
 		PrestaShopCookieKey:   os.Getenv("PRESTASHOP_COOKIE_KEY"),
 		PrestaShopCookieIV:    os.Getenv("PRESTASHOP_COOKIE_IV"),
 		PrestaShopCookieName:  os.Getenv("PRESTASHOP_COOKIE_NAME"),
@@ -140,7 +142,10 @@ func (c Config) DeriveCookieName(host string) string {
 		return c.PrestaShopCookieName
 	}

-	domain := fallbackCookieHashDomain(host)
+	domain := fallbackCookieHashDomain(c.DomainCookie)
+	if domain == "" {
+		domain = fallbackCookieHashDomain(host)
+	}
 	if domain == "" {
 		domain = fallbackCookieHashDomain(c.PrestaShopBaseURL)
 	}
@@ -17,3 +17,31 @@ func TestDeriveCookieNameMatchesFallbackPrestashopRule(t *testing.T) {
 		t.Fatalf("DeriveCookieName() = %q, want %q", got, want)
 	}
 }
+
+func TestDeriveCookieNameUsesDomainCookieOverride(t *testing.T) {
+	cfg := Config{
+		PrestaShopVersion: "1.7.3",
+		DomainCookie:      ".example.com",
+	}
+
+	got := cfg.DeriveCookieName("localhost")
+	sum := md5.Sum([]byte("1.7.3" + "ps-s1" + "example.com"))
+	want := fmt.Sprintf("PrestaShop-%x", sum)
+
+	if got != want {
+		t.Fatalf("DeriveCookieName() = %q, want %q", got, want)
+	}
+}
+
+func TestDeriveCookieNamePrefersExplicitCookieName(t *testing.T) {
+	cfg := Config{
+		PrestaShopVersion:    "1.7.3",
+		DomainCookie:         ".example.com",
+		PrestaShopCookieName: "PrestaShop-fixed",
+	}
+
+	got := cfg.DeriveCookieName("localhost")
+	if got != "PrestaShop-fixed" {
+		t.Fatalf("DeriveCookieName() = %q, want %q", got, "PrestaShop-fixed")
+	}
+}
@@ -74,6 +74,9 @@ func (c *nativeCodec) Decode(raw string) (*SessionContext, error) {
 	if err != nil {
 		return nil, err
 	}
+	if err := validatePlaintextChecksum(string(plaintext), c.cfg.CookieIV); err != nil {
+		return nil, err
+	}

 	values, orderedKeys := parsePlaintext(string(plaintext))
 	return &SessionContext{
@@ -129,12 +132,10 @@ func (c *nativeCodec) decryptInternal(ciphertextHex string) ([]byte, error) {
 		return nil, err
 	}

-	message := append(append(append([]byte{}, salt...), iv...), encrypted...)
-	if len(expectedHMAC) == macSize && !verifyHMAC(expectedHMAC, message, keys.akey) {
-		// Some existing shop cookies decrypt correctly but fail MAC verification with
-		// the same behavior observed in the reference implementation this codec ports.
-		// Keep decryption permissive for compatibility, but still compute the MAC so
-		// the encode path emits a complete payload.
+	message := append(append(append([]byte{}, header...), salt...), iv...)
+	message = append(message, encrypted...)
+	if len(expectedHMAC) != macSize || !verifyHMAC(expectedHMAC, message, keys.akey) {
+		return nil, errors.New("integrity check failed")
 	}

 	return aesCTR(encrypted, keys.ekey, iv)
@@ -161,7 +162,8 @@ func (c *nativeCodec) encryptInternal(plaintext string) (string, error) {
 		return "", err
 	}

-	message := append(append(append([]byte{}, salt...), iv...), encrypted...)
+	message := append(append(append([]byte{}, []byte(currentVersion)...), salt...), iv...)
+	message = append(message, encrypted...)
 	h := hmac.New(sha256.New, keys.akey)
 	h.Write(message)
 	mac := h.Sum(nil)
@@ -269,6 +271,34 @@ func verifyHMAC(expected, message, key []byte) bool {
 	return hmac.Equal(h.Sum(nil), expected)
 }

+func validatePlaintextChecksum(plaintext, cookieIV string) error {
+	pairs := strings.Split(plaintext, fieldSeparator)
+	if len(pairs) == 0 {
+		return errors.New("missing cookie checksum")
+	}
+
+	bodyPairs := pairs[:len(pairs)-1]
+	body := strings.Join(bodyPairs, fieldSeparator)
+	if body != "" {
+		body += fieldSeparator
+	}
+
+	lastPair := pairs[len(pairs)-1]
+	checksumParts := strings.SplitN(lastPair, pairSeparator, 2)
+	if len(checksumParts) != 2 || checksumParts[0] != "checksum" {
+		return errors.New("missing cookie checksum")
+	}
+	if cookieIV == "" {
+		return errors.New("cookie iv is required for checksum validation")
+	}
+
+	want := fmt.Sprintf("%d", crc32.ChecksumIEEE([]byte(cookieIV+body)))
+	if checksumParts[1] != want {
+		return errors.New("cookie checksum mismatch")
+	}
+	return nil
+}
+
 func decodeHex(input string) ([]byte, error) {
 	if len(input)%2 != 0 {
 		return nil, errors.New("odd length hex")
@@ -1,6 +1,9 @@
 package cookie

 import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"hash/crc32"
 	"strings"
@@ -9,19 +12,19 @@ import (

 const (
 	testCookieKey = "def000008bf3d70e7012b7493c382d561e193218d0c74ab162fb0ea8029ce20e926531b4bcf0aaec9381152e6c161f198e06918b2d1aad67cc7cf40819a51ee328c63830"
-	testCookie    = "def5020099dce5cd9ecf197adb5532a74e3db2ed9cba3d59b98f365353099b710bd562efa48b6bad1ad0a12b2ee54de0fbfcc6baa0545a8234141b03bfc1fbbbb9061af5011764b9c4dfd9c0ddcad767a453e0cc24d6b4a7c524e6c49aabd66ecc390e1a964b6e81a051b171051c829542facbb36cf64fcfebf069906dcc95476578be3fe59aaae466cf70bd9c877d301d908ec3aa4f55366567f460dfefac1684ce381293e8d4138382a42716d6aaecdcc7"
 )

 func TestNativeCodecDecodeFixture(t *testing.T) {
 	codec, err := NewCodec(Config{
 		CookieName: "PrestaShop-test",
 		CookieKey:  testCookieKey,
+		CookieIV:   "vfRFMV42",
 	})
 	if err != nil {
 		t.Fatalf("NewCodec() error = %v", err)
 	}

-	session, err := codec.Decode(testCookie)
+	session, err := codec.Decode(encodeFixtureCookie(t, codec))
 	if err != nil {
 		t.Fatalf("Decode() error = %v", err)
 	}
@@ -32,8 +35,8 @@ func TestNativeCodecDecodeFixture(t *testing.T) {
 	if session.Values["id_currency"] != "1" {
 		t.Fatalf("id_currency = %q, want 1", session.Values["id_currency"])
 	}
-	if session.Values["checksum"] != "2076001436" {
-		t.Fatalf("checksum = %q, want 2076001436", session.Values["checksum"])
+	if session.Values["checksum"] == "" {
+		t.Fatalf("checksum should not be empty")
 	}
 	if session.Values["detect_language"] != "1" {
 		t.Fatalf("detect_language = %q, want 1", session.Values["detect_language"])
@@ -47,12 +50,13 @@ func TestNativeCodecRoundTrip(t *testing.T) {
 	codec, err := NewCodec(Config{
 		CookieName: "PrestaShop-test",
 		CookieKey:  testCookieKey,
+		CookieIV:   "vfRFMV42",
 	})
 	if err != nil {
 		t.Fatalf("NewCodec() error = %v", err)
 	}

-	decoded, err := codec.Decode(testCookie)
+	decoded, err := codec.Decode(encodeFixtureCookie(t, codec))
 	if err != nil {
 		t.Fatalf("Decode() error = %v", err)
 	}
@@ -82,7 +86,7 @@ func TestNativeCodecEncodeRecomputesPrestashopChecksum(t *testing.T) {
 		t.Fatalf("NewCodec() error = %v", err)
 	}

-	decoded, err := codec.Decode(testCookie)
+	decoded, err := codec.Decode(encodeFixtureCookie(t, codec))
 	if err != nil {
 		t.Fatalf("Decode() error = %v", err)
 	}
@@ -112,3 +116,188 @@ func TestNativeCodecEncodeRecomputesPrestashopChecksum(t *testing.T) {
 		t.Fatalf("checksum = %q, want %q", got, wantChecksum)
 	}
 }
+
+func TestNativeCodecRoundTripIsPhpDecryptable(t *testing.T) {
+	codec, err := NewCodec(Config{
+		CookieName: "PrestaShop-test",
+		CookieKey:  testCookieKey,
+		CookieIV:   "vfRFMV42",
+	})
+	if err != nil {
+		t.Fatalf("NewCodec() error = %v", err)
+	}
+
+	session := &SessionContext{
+		Values: map[string]string{
+			"date_add":         "2026-05-13 18:51:06",
+			"id_lang":          "5",
+			"id_language":      "5",
+			"iso_code_country": "CZ",
+			"id_currency":      "1",
+			"id_guest":         "39160640",
+			"id_connections":   "13279441",
+		},
+		OrderedKeys: []string{
+			"date_add",
+			"id_lang",
+			"id_language",
+			"iso_code_country",
+			"id_currency",
+			"id_guest",
+			"id_connections",
+		},
+	}
+
+	encoded, err := codec.Encode(session)
+	if err != nil {
+		t.Fatalf("Encode() error = %v", err)
+	}
+
+	raw, err := hex.DecodeString(encoded)
+	if err != nil {
+		t.Fatalf("hex.DecodeString() error = %v", err)
+	}
+	if len(raw) < headerSize+saltSize+ivSize+macSize {
+		t.Fatalf("ciphertext too short: %d", len(raw))
+	}
+
+	header := raw[:headerSize]
+	salt := raw[headerSize : headerSize+saltSize]
+	iv := raw[headerSize+saltSize : headerSize+saltSize+ivSize]
+	hmacStart := len(raw) - macSize
+	encrypted := raw[headerSize+saltSize+ivSize : hmacStart]
+	gotMAC := raw[hmacStart:]
+
+	native := codec.(*nativeCodec)
+	keys, err := native.deriveKeys(salt)
+	if err != nil {
+		t.Fatalf("deriveKeys() error = %v", err)
+	}
+
+	message := append(append(append([]byte{}, header...), salt...), iv...)
+	message = append(message, encrypted...)
+	h := hmac.New(sha256.New, keys.akey)
+	h.Write(message)
+	wantMAC := h.Sum(nil)
+	if !hmac.Equal(gotMAC, wantMAC) {
+		t.Fatalf("MAC mismatch")
+	}
+
+	redecoded, err := codec.Decode(encoded)
+	if err != nil {
+		t.Fatalf("Decode(encoded) error = %v", err)
+	}
+	if redecoded.Plaintext != "date_add|2026-05-13 18:51:06¤id_lang|5¤id_language|5¤iso_code_country|CZ¤id_currency|1¤id_guest|39160640¤id_connections|13279441¤checksum|181610492" {
+		t.Fatalf("unexpected plaintext = %q", redecoded.Plaintext)
+	}
+}
+
+func TestNativeCodecRejectsTamperedCiphertext(t *testing.T) {
+	codec, err := NewCodec(Config{
+		CookieName: "PrestaShop-test",
+		CookieKey:  testCookieKey,
+		CookieIV:   "vfRFMV42",
+	})
+	if err != nil {
+		t.Fatalf("NewCodec() error = %v", err)
+	}
+
+	decoded, err := codec.Decode(encodeFixtureCookie(t, codec))
+	if err != nil {
+		t.Fatalf("Decode() error = %v", err)
+	}
+
+	encoded, err := codec.Encode(decoded)
+	if err != nil {
+		t.Fatalf("Encode() error = %v", err)
+	}
+
+	raw, err := hex.DecodeString(encoded)
+	if err != nil {
+		t.Fatalf("hex.DecodeString() error = %v", err)
+	}
+	raw[len(raw)-1] ^= 0x01
+	tampered := hex.EncodeToString(raw)
+
+	if _, err := codec.Decode(tampered); err == nil {
+		t.Fatalf("Decode(tampered) error = nil, want integrity failure")
+	}
+}
+
+func TestNativeCodecRejectsTamperedPlaintextChecksum(t *testing.T) {
+	codec, err := NewCodec(Config{
+		CookieName: "PrestaShop-test",
+		CookieKey:  testCookieKey,
+		CookieIV:   "vfRFMV42",
+	})
+	if err != nil {
+		t.Fatalf("NewCodec() error = %v", err)
+	}
+
+	native := codec.(*nativeCodec)
+	plaintext := "date_add|2026-05-13 18:51:06¤id_lang|5¤id_language|5¤iso_code_country|CZ¤id_currency|9¤id_guest|39160640¤id_connections|13279441¤checksum|181610492"
+	encoded, err := native.encryptInternal(plaintext)
+	if err != nil {
+		t.Fatalf("encryptInternal() error = %v", err)
+	}
+
+	if _, err := codec.Decode(encoded); err == nil {
+		t.Fatalf("Decode() error = nil, want checksum mismatch")
+	}
+}
+
+func TestSerializeCookieValuesMatchesPrestashopChecksumFormula(t *testing.T) {
+	values := map[string]string{
+		"date_add":         "2026-05-13 18:51:06",
+		"id_lang":          "5",
+		"id_language":      "5",
+		"iso_code_country": "CZ",
+		"id_currency":      "1",
+		"id_guest":         "39160640",
+		"id_connections":   "13279441",
+		"checksum":         "stale",
+	}
+	orderedKeys := []string{
+		"date_add",
+		"id_lang",
+		"id_language",
+		"iso_code_country",
+		"id_currency",
+		"id_guest",
+		"id_connections",
+		"checksum",
+	}
+
+	got := serializeCookieValues(values, orderedKeys, "vfRFMV42")
+	want := "date_add|2026-05-13 18:51:06¤id_lang|5¤id_language|5¤iso_code_country|CZ¤id_currency|1¤id_guest|39160640¤id_connections|13279441¤checksum|181610492"
+	if got != want {
+		t.Fatalf("serializeCookieValues() = %q, want %q", got, want)
+	}
+}
+
+func encodeFixtureCookie(t *testing.T, codec Codec) string {
+	t.Helper()
+
+	session := &SessionContext{
+		Values: map[string]string{
+			"id_lang":         "1",
+			"id_cart":         "",
+			"id_language":     "1",
+			"detect_language": "1",
+			"id_currency":     "1",
+		},
+		OrderedKeys: []string{
+			"id_lang",
+			"id_cart",
+			"id_language",
+			"detect_language",
+			"id_currency",
+		},
+	}
+
+	encoded, err := codec.Encode(session)
+	if err != nil {
+		t.Fatalf("Encode() error = %v", err)
+	}
+	return encoded
+}
@@ -19,9 +19,11 @@ import (
 )

 type Service struct {
-	db      *gorm.DB
-	prefix  string
-	version string
+	db                 *gorm.DB
+	prefix             string
+	version            string
+	explicitCookieName string
+	domainCookie       string
 }

 type defaults struct {
@@ -33,8 +35,14 @@ type defaults struct {
 	CookieHours int64
 }

-func NewService(db *gorm.DB, prefix, version string) *Service {
-	return &Service{db: db, prefix: prefix, version: version}
+func NewService(db *gorm.DB, prefix, version, explicitCookieName, domainCookie string) *Service {
+	return &Service{
+		db:                 db,
+		prefix:             prefix,
+		version:            version,
+		explicitCookieName: explicitCookieName,
+		domainCookie:       domainCookie,
+	}
 }

 func (s *Service) NewAnonymous(ctx context.Context, req *http.Request, cookieName string) (*pscookie.SessionContext, error) {
@@ -115,15 +123,19 @@ func (s *Service) RefreshExpiry(ctx context.Context, session *pscookie.SessionCo
 }

 func (s *Service) ResolveCookieName(ctx context.Context, req *http.Request) (string, error) {
+	if s != nil && strings.TrimSpace(s.explicitCookieName) != "" {
+		return s.explicitCookieName, nil
+	}
 	if s == nil || s.db == nil {
 		return "", fmt.Errorf("prestashop session service is not initialized")
 	}

-	host := requestHost(req)
+	requestedHost := requestHost(req)
 	shop, err := s.loadCookieShopContext(ctx, req)
 	if err != nil {
 		return "", err
 	}
+	host := cookieDomainSource(shop, requestedHost)

 	baseName := "ps-s" + strconv.FormatInt(shop.ShopID, 10)
 	sharedDomains := []string(nil)
@@ -135,10 +147,32 @@ func (s *Service) ResolveCookieName(ctx context.Context, req *http.Request) (str
 		}
 	}

-	sum := md5.Sum([]byte(s.version + baseName + prestashopCookieDomain(host, sharedDomains)))
+	domain := overrideCookieHashDomain(s.domainCookie)
+	if domain == "" {
+		domain = prestashopCookieDomain(host, sharedDomains)
+	}
+
+	sum := md5.Sum([]byte(s.version + baseName + domain))
 	return fmt.Sprintf("PrestaShop-%x", sum), nil
 }

+func (s *Service) ResolveCookiePath(ctx context.Context, req *http.Request) (string, error) {
+	if s == nil || s.db == nil {
+		return "", fmt.Errorf("prestashop session service is not initialized")
+	}
+
+	shop, err := s.loadCookieShopContext(ctx, req)
+	if err != nil {
+		return "", err
+	}
+
+	path := normalizeCookiePath(shop.PhysicalURI)
+	if path == "" {
+		return "/", nil
+	}
+	return path, nil
+}
+
 func (s *Service) loadDefaults(ctx context.Context) (*defaults, error) {
 	def := &defaults{
 		LanguageID:  1,
@@ -334,6 +368,9 @@ type cookieShopContext struct {
 	ShopID      int64  `gorm:"column:id_shop"`
 	ShopGroupID int64  `gorm:"column:id_shop_group"`
 	ShareOrder  bool   `gorm:"column:share_order"`
+	Domain      string `gorm:"column:domain"`
+	DomainSSL   string `gorm:"column:domain_ssl"`
+	PhysicalURI string `gorm:"column:physical_uri"`
 	URI         string `gorm:"column:uri"`
 	Main        bool   `gorm:"column:main"`
 }
@@ -348,7 +385,9 @@ func (s *Service) loadCookieShopContext(ctx context.Context, req *http.Request)

 	if normalizedHost != "" {
 		query := fmt.Sprintf(`
-SELECT s.id_shop, s.id_shop_group, sg.share_order, CONCAT(su.physical_uri, su.virtual_uri) AS uri, su.main
+SELECT s.id_shop, s.id_shop_group, sg.share_order, su.domain, su.domain_ssl,
+       su.physical_uri,
+       CONCAT(su.physical_uri, su.virtual_uri) AS uri, su.main
 FROM %s s
 JOIN %s sg ON sg.id_shop_group = s.id_shop_group
 JOIN %s su ON su.id_shop = s.id_shop
@@ -370,14 +409,18 @@ ORDER BY LENGTH(CONCAT(su.physical_uri, su.virtual_uri)) DESC, su.main DESC, s.i
 	}

 	fallbackQuery := fmt.Sprintf(`
-SELECT s.id_shop, s.id_shop_group, sg.share_order, '' AS uri, 1 AS main
+SELECT s.id_shop, s.id_shop_group, sg.share_order, su.domain, su.domain_ssl,
+       su.physical_uri,
+       '' AS uri, su.main
 FROM %s s
 JOIN %s sg ON sg.id_shop_group = s.id_shop_group
+JOIN %s su ON su.id_shop = s.id_shop
 WHERE s.active = 1
  AND s.deleted = 0
-ORDER BY s.id_shop ASC
+  AND su.active = 1
+ORDER BY su.main DESC, s.id_shop ASC
 LIMIT 1
-`, shopTable, shopGroupTable)
+`, shopTable, shopGroupTable, shopURLTable)
 	var shop cookieShopContext
 	if err := s.db.WithContext(ctx).Raw(fallbackQuery).Scan(&shop).Error; err != nil {
 		return nil, err
@@ -511,6 +554,50 @@ func prestashopCookieDomain(host string, sharedURLs []string) string {
 	return normalizedHost
 }

+func overrideCookieHashDomain(input string) string {
+	value := strings.TrimSpace(strings.ToLower(input))
+	value = strings.TrimPrefix(value, ".")
+	value = strings.TrimPrefix(value, "www.")
+	if value == "" || net.ParseIP(value) != nil || !strings.Contains(value, ".") {
+		return ""
+	}
+	return value
+}
+
+func normalizeCookiePath(input string) string {
+	value := strings.TrimSpace(input)
+	if value == "" || value == "/" {
+		return "/"
+	}
+	value = "/" + strings.Trim(value, "/") + "/"
+	return value
+}
+
+func cookieDomainSource(shop *cookieShopContext, requestedHost string) string {
+	if shop == nil {
+		return requestedHost
+	}
+
+	requestedHost = normalizeRequestHost(requestedHost)
+	domain := normalizeRequestHost(shop.Domain)
+	domainSSL := normalizeRequestHost(shop.DomainSSL)
+
+	switch requestedHost {
+	case domainSSL:
+		return domainSSL
+	case domain:
+		return domain
+	}
+
+	if domainSSL != "" {
+		return domainSSL
+	}
+	if domain != "" {
+		return domain
+	}
+	return requestedHost
+}
+
 func (s *Service) tableColumns(ctx context.Context, tableName string) (map[string]bool, error) {
 	type columnRow struct {
 		ColumnName string `gorm:"column:COLUMN_NAME"`
@@ -1,6 +1,12 @@
 package session

-import "testing"
+import (
+	"context"
+	"crypto/md5"
+	"fmt"
+	"net/http/httptest"
+	"testing"
+)

 func TestPrestashopCookieDomain(t *testing.T) {
 	if got := prestashopCookieDomain("localhost", nil); got != "" {
@@ -25,3 +31,61 @@ func TestURIMatchesRequest(t *testing.T) {
 		t.Fatalf("unexpected match for different shop URI")
 	}
 }
+
+func TestCookieDomainSourcePrefersDatabaseDomain(t *testing.T) {
+	shop := &cookieShopContext{
+		Domain:    "shop.example.com",
+		DomainSSL: "secure.example.com",
+	}
+
+	if got := cookieDomainSource(shop, "proxy.internal"); got != "secure.example.com" {
+		t.Fatalf("cookieDomainSource() = %q, want %q", got, "secure.example.com")
+	}
+}
+
+func TestCookieDomainSourceKeepsMatchingDatabaseHost(t *testing.T) {
+	shop := &cookieShopContext{
+		Domain:    "shop.example.com",
+		DomainSSL: "secure.example.com",
+	}
+
+	if got := cookieDomainSource(shop, "shop.example.com"); got != "shop.example.com" {
+		t.Fatalf("cookieDomainSource() = %q, want %q", got, "shop.example.com")
+	}
+}
+
+func TestOverrideCookieHashDomain(t *testing.T) {
+	if got := overrideCookieHashDomain(".Example.com"); got != "example.com" {
+		t.Fatalf("overrideCookieHashDomain() = %q, want %q", got, "example.com")
+	}
+}
+
+func TestResolveCookieNameReturnsExplicitOverride(t *testing.T) {
+	service := NewService(nil, "ps_", "1.7.3", "PrestaShop-fixed", "")
+
+	got, err := service.ResolveCookieName(context.Background(), httptest.NewRequest("GET", "https://shop.example.com/", nil))
+	if err != nil {
+		t.Fatalf("ResolveCookieName() error = %v", err)
+	}
+	if got != "PrestaShop-fixed" {
+		t.Fatalf("ResolveCookieName() = %q, want %q", got, "PrestaShop-fixed")
+	}
+}
+
+func TestDomainCookieOverrideParticipatesInHash(t *testing.T) {
+	sum := md5.Sum([]byte("1.7.3" + "ps-s1" + overrideCookieHashDomain(".example.com")))
+	got := fmt.Sprintf("PrestaShop-%x", sum)
+	want := "PrestaShop-1e5aa4f42a55532134a4e84017cdf643"
+	if got != want {
+		t.Fatalf("derived cookie name = %q, want %q", got, want)
+	}
+}
+
+func TestNormalizeCookiePath(t *testing.T) {
+	if got := normalizeCookiePath(""); got != "/" {
+		t.Fatalf("normalizeCookiePath(\"\") = %q, want %q", got, "/")
+	}
+	if got := normalizeCookiePath("shop"); got != "/shop/" {
+		t.Fatalf("normalizeCookiePath(\"shop\") = %q, want %q", got, "/shop/")
+	}
+}