I'm running a vote system. Sessions keys are partially generated using a hash of the browser useragent string. Some users are encountering errors because of weird useragent string changes as seen below by a page trace.
The useragent is being detected in the following manor in PHP at the very beginning of each page load.
function useragent()
{
static $user_agent = null;
if($user_agent === null)
{
$user_agent = getenv('HTTP_USER_AGENT');
if(empty($user_agent) === true)
{
$user_agent = $_SERVER['HTTP_USER_AGENT'];
}
}
return $user_agent;
}
Page action trace as below.
[2012-09-27 13:20:50] => Array
(
[uri] => /start
[ua] => Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Sky Broadband; DS_desktopsmiley; GTB7.4; chromeframe/21.0.1180.89; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; playbrytetoolbar_playbryte; AskTB5.6; 789905664603; lib/6.02324)
)
[2012-09-27 13:20:50] => Array
(
[uri] => /nominees
[ua] => Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Sky Broadband; DS_desktopsmiley; GTB7.4; chromeframe/21.0.1180.89; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; playbrytetoolbar_playbryte; AskTB5.6; 789905664603; lib/6.02324)
)
[2012-09-27 13:21:10] => Array
(
[uri] => /nominees-save
[post] => Array
(
[category] => talent_show
[talent_show] => 5
)
[ua] => Mozilla/5.0 (Windows NT 6.0; chromeframe/21.0.1180.89) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
)
[2012-09-27 13:21:10] => Array
(
[uri] => /vote-error
[ua] => Mozilla/5.0 (Windows NT 6.0; chromeframe/21.0.1180.89) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
)
[2012-09-27 13:21:16] => Array
(
[uri] => /vote-start
[ua] => Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Sky Broadband; DS_desktopsmiley; GTB7.4; chromeframe/21.0.1180.89; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; playbrytetoolbar_playbryte; AskTB5.6; 789905664603; lib/6.02324)
)
There are three things I notice. 1) this person has a crap load of toolbars installed. 2) Chromeframe is installed. 3) the MSIE exists on normal pages but not on a POST request and the subsequent request.
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
is added to the HTML and returned headers. Is chromeframe the responsible party here? If so why would chromeframe be hijacking POST request headers like this? If it is not chromeframe any ideas as to why?
My guess would definitely be ChromeFrame. There are probably numerous reasons as to why the user agent string is being augmented by it. Here are a few I could guess at (these all hinge on the fact that ChromeFrame probably steps in only when it thinks it is required):
ChromeFrame - when enabled - has no knowledge or access to the original browsers user agent string, And so generates it's own.
It could do it to aid development server-side.
ChromeFrame is an entirely different user agent, so therefore it could easily be argued that it should report differently to the server-side. (especially changing from Mozilla 4.0 to 5.0)
Basically the user agent string is not reliable. You should find some other means.