Ignore the IP Address check from the XSRF token and add a user agent check.

library/Unl/XsrfToken.php

@@ -59,7 +59,8 @@ class Unl_XsrfToken
         $token = array(
             'expires' => $expires,
             'formUrl' => $_SERVER['SCRIPT_URI'],
-            'remoteAddress' => $_SERVER['REMOTE_ADDR']
+            'remoteAddress' => $_SERVER['REMOTE_ADDR'],
+            'userAgent' => $_SERVER['HTTP_USER_AGENT'],
         );
         $tokenId = base64_encode(hash('sha256', microtime(TRUE), TRUE));
         $this->_session->tokens[$tokenId] = $token;
@@ -87,13 +88,17 @@ class Unl_XsrfToken
     		return FALSE;
     	}
     	if ($token['remoteAddress'] != $_SERVER['REMOTE_ADDR']) {
-    	    $log->log('XSRF: Remote address changed.', Zend_Log::ERR);
-            return FALSE;
+    	    $log->log('XSRF: Remote address changed. (ignoring)', Zend_Log::ERR);
+            //return FALSE;
     	}
     	if ($token['formUrl'] != $_SERVER['HTTP_REFERER']) {
     	    $log->log('XSRF: Referer doesn\'t match form url.', Zend_Log::ERR);
     		return FALSE;
     	}
+    	if ($token['userAgent'] != $_SERVER['HTTP_USER_AGENT']) {
+    	    $log->log('XSRF: User agent has changed.', Zend_Log::ERR);
+    	    return FALSE;
+    	}
     	
     	if ($onceOnly) {
             unset($this->_session->tokens[$tokenId]);