SS-2017-006: Session user agent change detection
- Severity:
- Low (?)
- Identifier:
- ss-2017-006
- Versions Affected:
- 3.5.5 and below, 3.6.0 to 3.6.2
- Versions Fixed:
- 3.5.6, 3.6.3
- Release Date:
- 2017-12-07
A security protection device in Session designed to protect session hijacking was not correctly functioning. This function intended to protect user sessions by detecting changes in the User-Agent header, but modifications to this header were not correctly invalidating the user session.
Reported by Patrick Nelson - https://catchyour.com/