SS-2017-006: Session user agent change detection

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Low (?)
Identifier:: ss-2017-006
Versions Affected:: 3.5.5 and below, 3.6.0 to 3.6.2
Versions Fixed:: 3.5.6, 3.6.3
Release Date:: 2017-12-07

A security protection device in Session designed to protect session hijacking was not correctly functioning. This function intended to protect user sessions by detecting changes in the User-Agent header, but modifications to this header were not correctly invalidating the user session.

Reported by Patrick Nelson - https://catchyour.com/