Can $_SERVER['HTTP_USER_AGENT'] contain '+' symbol?

Question

I was wondering if $_SERVER['HTTP_USER_AGENT'] can output user agents with a + instead of a space. I'm seeing a lot of votes being made in the voting system of my website, using a plus in the user agent, such as:

Mozilla/5.0+(Windows+NT+6.2;+WOW64;+rv:33.0)+Gecko/20100101+Firefox/33.0
Mozilla/5.0+(Windows+NT+5.1;+U;+en)+Presto/2.10+Version/11.60

I suspect that this is some sort of cheating software that spoofs the user agents, but does it wrongly. Is this true, or can user agents really look like this?

Answer 1

You already see that user-agent headers can look like this since they are looking like this. ;) However, a real Mozilla browser would not replace spaces by +. You can be sure that this was not a Mozilla browser.

---

But what says the HTTP standard?

The User-Agent request-header field contains information about the user agent originating the request. This is for statistical purposes, the tracing of protocol violations, and automated recognition of user agents for the sake of tailoring responses to avoid particular user agent limitations. User agents SHOULD include this field with requests. The field can contain multiple product tokens (section 3.8) and comments identifying the agent and any subproducts which form a significant part of the user agent. By convention, the product tokens are listed in order of their significance for identifying the application.

Let's have a look at section 3.8

Product tokens are used to allow communicating applications to identify themselves by software name and version. Most fields using product tokens also allow sub-products which form a significant part of the application to be listed, separated by white space. By convention, the products are listed in order of their significance for identifying the application.

First, the standard defines it as SHOULD being sent by the client, meaning it is not necessary at all. On the other hand section 3.8 suggests to use spaces to delimit individual features. But nothing is really standardized. A version number could probably look like CoolBrowser2+. Also comments are allowed.