Euh non.
Ca m'avais pas sauté au yeux.
Je viens corriger
Set-Cookie: HttpOnly;Secure;SameSite=Strict
Mais ca n'a pas résolut le problème.
Nouvelle sequence
https://www.mondomaine.com/control/index.php?controller=AdminLogin&redirect=/control/ajax.php?rand=1583309033394
Réponse
HTTP/1.1 200 OK
Date: Wed, 04 Mar 2020 08:03:53 GMT
Server: Apache
Expires: Mon, 06 Jun 1985 06:06:00 GMT+1
Login: true
Cache-Control: no-store, no-cache
Set-Cookie: PrestaShop-26674b20b432ea370157ba5c64c1a2bb=l6AnDcaUy0OUcRghDhp1YycWwhNxB%2B98kgNljg5WqoJgKhki3igAnAZwwEFlhmATFg4CTY7Y6izmwVNweXtuIchRwnUqYVHC8aar01nfhtM%3D000079; expires=Sat, 24-Apr-2021 23:03:53 GMT; Max-Age=35996399; path=/; domain=www.mondomaine.com; HttpOnly
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-FRAME-OPTIONS: SAMEORIGIN
[…]
Set-Cookie: HttpOnly;Secure;SameSite=Strict
Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' 'self' *.google.com www.google-analytics.com www.googletagmanager.com bat.bing.com connect.facebook.net ajax.googleapis.com cdn.jsdelivr.net maps.googleapis.com maps.google.com www.googleadservices.com googleads.g.doubleclick.net; img-src 'self' data: www.google.com www.google.fr https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net bat.bing.com maps.gstatic.com maps.googleapis.com maps.google.com; connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net
[…]
Requete
Host: www.mondomaine.com
[…]
Referer: https://www.mondomaine.com/control/index.php?controller=AdminProducts&token=c498a136b16e85e31db46847d37d87d4
DNT: 1
Connection: keep-alive
Cookie: HttpOnly; PrestaShop-26674b20b432ea370157ba5c64c1a2bb=l6AnDcaUy0OUcRghDhp1YycWwhNxB%2B98kgNljg5WqoJgKhki3igAnAZwwEFlhmATFg4CTY7Y6izmwVNweXtuIchRwnUqYVHC8aar01nfhtM%3D000079
Pragma: no-cache
https://www.mondomaine.com/control/index.php?controller=AdminProducts&token=c498a136b16e85e31db46847d37d87d4
Deconnecion
Reponse
HTTP/1.1 302 Found
Date: Wed, 04 Mar 2020 08:10:20 GMT
Server: Apache
[…]
Set-Cookie: PrestaShop-26674b20b432ea370157ba5c64c1a2bb=0; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1583309420; path=/; domain=www.mondomaine.com; HttpOnly
Set-Cookie: PrestaShop-26674b20b432ea370157ba5c64c1a2bb=1HTIiltzkT8R%2FaKYLGLkcMIdIkz4ZZtAZal1AGGUd4w%3D000017; expires=Sat, 24-Apr-2021 23:10:20 GMT; Max-Age=35996399; path=/; domain=www.mondomaine.com; HttpOnly
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-FRAME-OPTIONS: SAMEORIGIN
Vary: Host,Accept-Encoding
Location: index.php?controller=AdminLogin&token=5ff9a57303d342b88d922482592ee373&redirect=AdminProducts
Content-Encoding: gzip
Set-Cookie: HttpOnly;Secure;SameSite=Strict
Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' 'self' *.google.com www.google-analytics.com www.googletagmanager.com bat.bing.com connect.facebook.net ajax.googleapis.com cdn.jsdelivr.net maps.googleapis.com maps.google.com www.googleadservices.com googleads.g.doubleclick.net; img-src 'self' data: www.google.com www.google.fr https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net bat.bing.com maps.gstatic.com maps.googleapis.com maps.google.com; connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net
[…]
Requete
Host: www.mondomaine.com
[…]
Referer: https://www.mondomaine.com/control/index.php?controller=AdminProducts&token=c498a136b16e85e31db46847d37d87d4
DNT: 1
Connection: keep-alive
Cookie: HttpOnly; PrestaShop-26674b20b432ea370157ba5c64c1a2bb=l6AnDcaUy0OUcRghDhp1YycWwhNxB%2B98kgNljg5WqoJgKhki3igAnAZwwEFlhmATFg4CTY7Y6izmwVNweXtuIchRwnUqYVHC8aar01nfhtM%3D000079
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
J'arrive pas à comprendre.
Dans ce cas alors que la requete au moment de la deconnexion renvoie bien le cookie.
Dans la réponse, le serveur réponds par un double cookie
Set-Cookie: PrestaShop-26674b20b432ea370157ba5c64c1a2bb=0; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1583309420; path=/; domain=www.mondomaine.com; HttpOnly
Set-Cookie: PrestaShop-26674b20b432ea370157ba5c64c1a2bb=1HTIiltzkT8R%2FaKYLGLkcMIdIkz4ZZtAZal1AGGUd4w%3D000017; expires=Sat, 24-Apr-2021 23:10:20 GMT; Max-Age=35996399; path=/; domain=www.mondomaine.com; HttpOnly
Dont un nouveau, qui semble troqué, et sans date 1970
Le point que tu as soulevé sur "stict" m'a faire chercher du coté d'apache et non PS.
40 min que j'ai pas été deconnecté. Il semblerait que le souci viennent de
# Add le 6/02/20
#Header set Set-Cookie HttpOnly;Secure;SameSite=Strict
#Header always set X-FRAME-OPTIONS "SAMEORIGIN"
#Header set Content-Security-Policy-Report-Only "script-src 'unsafe-inline' 'unsafe-eval' 'self' *.google.com www.google-analytics.com www.googletagmanager.com bat.bing.com connect.facebook.net ajax.googleapis.com cdn.jsdelivr.net maps.googleapis.com maps.google.com www.googleadservices.com googleads.g.doubleclick.net; img-src 'self' data: www.google.com www.google.fr https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net bat.bing.com maps.gstatic.com maps.googleapis.com maps.google.com; connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net"
Mince problème toujours non résolut