diff --git a/app/config/core.php b/app/config/core.php
index f9ecca1a4..3a7b7275b 100644
--- a/app/config/core.php
+++ b/app/config/core.php
@@ -106,14 +106,24 @@
  * The table name set here should *not* include any table prefix defined elsewhere.
  */
 	Configure::write('Session.table', 'cake_sessions');
-/**
- * A random string used in security hashing methods.
- */
-	Configure::write('Security.salt', 'DYhG93b0qyJfIxfs2guVoUubWwvniR2G0FgaC9mi');
 /**
  * The name of CakePHP's session cookie.
  */
 	Configure::write('Session.cookie', 'CAKEPHP');
+/**
+ * Session time out time (in seconds).
+ * Actual value depends on 'Security.level' setting.
+ */
+	Configure::write('Session.timeout', '120');
+/**
+ * If set to false, sessions are not automatically started.
+ */
+	Configure::write('Session.start', true);
+/**
+ * When set to false, HTTP_USER_AGENT will not be checked
+ * in the session
+ */
+	Configure::write('Session.checkAgent', true);
 /**
  * The level of CakePHP security. The session timeout time defined
  * in 'Session.timeout' is multiplied according to the settings here.
@@ -128,10 +138,9 @@
  */
 	Configure::write('Security.level', 'high');
 /**
- * Session time out time (in seconds).
- * Actual value depends on 'Security.level' setting.
+ * A random string used in security hashing methods.
  */
-	Configure::write('Session.timeout', '120');
+	Configure::write('Security.salt', 'DYhG93b0qyJfIxfs2guVoUubWwvniR2G0FgaC9mi');
 /**
  * Compress CSS output by removing comments, whitespace, repeating tags, etc.
  * This requires a/var/cache directory to be writable by the web server for caching.
@@ -139,10 +148,6 @@
  * To use, prefix the CSS link URL with '/ccss/' instead of '/css/' or use Controller::cssTag().
  */
 	define('COMPRESS_CSS', false);
-/**
- * If set to false, sessions are not automatically started.
- */
-	Configure::write('Session.start', true);
 /**
  * The classname and database used in CakePHP's
  * access control lists.
diff --git a/cake/console/libs/templates/skel/config/core.php b/cake/console/libs/templates/skel/config/core.php
index f9ecca1a4..3a7b7275b 100644
--- a/cake/console/libs/templates/skel/config/core.php
+++ b/cake/console/libs/templates/skel/config/core.php
@@ -106,14 +106,24 @@
  * The table name set here should *not* include any table prefix defined elsewhere.
  */
 	Configure::write('Session.table', 'cake_sessions');
-/**
- * A random string used in security hashing methods.
- */
-	Configure::write('Security.salt', 'DYhG93b0qyJfIxfs2guVoUubWwvniR2G0FgaC9mi');
 /**
  * The name of CakePHP's session cookie.
  */
 	Configure::write('Session.cookie', 'CAKEPHP');
+/**
+ * Session time out time (in seconds).
+ * Actual value depends on 'Security.level' setting.
+ */
+	Configure::write('Session.timeout', '120');
+/**
+ * If set to false, sessions are not automatically started.
+ */
+	Configure::write('Session.start', true);
+/**
+ * When set to false, HTTP_USER_AGENT will not be checked
+ * in the session
+ */
+	Configure::write('Session.checkAgent', true);
 /**
  * The level of CakePHP security. The session timeout time defined
  * in 'Session.timeout' is multiplied according to the settings here.
@@ -128,10 +138,9 @@
  */
 	Configure::write('Security.level', 'high');
 /**
- * Session time out time (in seconds).
- * Actual value depends on 'Security.level' setting.
+ * A random string used in security hashing methods.
  */
-	Configure::write('Session.timeout', '120');
+	Configure::write('Security.salt', 'DYhG93b0qyJfIxfs2guVoUubWwvniR2G0FgaC9mi');
 /**
  * Compress CSS output by removing comments, whitespace, repeating tags, etc.
  * This requires a/var/cache directory to be writable by the web server for caching.
@@ -139,10 +148,6 @@
  * To use, prefix the CSS link URL with '/ccss/' instead of '/css/' or use Controller::cssTag().
  */
 	define('COMPRESS_CSS', false);
-/**
- * If set to false, sessions are not automatically started.
- */
-	Configure::write('Session.start', true);
 /**
  * The classname and database used in CakePHP's
  * access control lists.
diff --git a/cake/libs/session.php b/cake/libs/session.php
index fe3cc5113..416b64670 100644
--- a/cake/libs/session.php
+++ b/cake/libs/session.php
@@ -64,7 +64,7 @@ class CakeSession extends Object {
  * @var string
  * @access protected
  */
-	var $_userAgent = false;
+	var $_userAgent = '';
 /**
  * Path to where the session is active.
  *
@@ -115,15 +115,14 @@ class CakeSession extends Object {
  * @access public
  */
 	function __construct($base = null, $start = true) {
-
 		if (Configure::read('Session.save') === 'database' && !class_exists('ConnectionManager')) {
 			uses('model' . DS . 'connection_manager');
 		}
 
-		if (env('HTTP_USER_AGENT') != null) {
-			$this->_userAgent = md5(env('HTTP_USER_AGENT') . Configure::read('Security.salt'));
-		} else {
-				$this->_userAgent = "";
+		if (Configure::read('Session.checkAgent') === true) {
+			if (env('HTTP_USER_AGENT') != null) {
+				$this->_userAgent = md5(env('HTTP_USER_AGENT') . Configure::read('Security.salt'));
+			}
 		}
 		$this->time = time();
 
@@ -268,8 +267,10 @@ class CakeSession extends Object {
  */
 	function valid() {
 		if ($this->read('Config')) {
-			if ($this->_userAgent == $this->read("Config.userAgent") && $this->time <= $this->read("Config.time")) {
-				$this->valid = true;
+			if (Configure::read('Session.checkAgent') === false || $this->_userAgent == $this->read("Config.userAgent") && $this->time <= $this->read("Config.time")) {
+				if ($this->error === false) {
+					$this->valid = true;
+				}
 			} else {
 				$this->valid = false;
 				$this->__setError(1, "Session Highjacking Attempted !!!");
@@ -401,6 +402,9 @@ class CakeSession extends Object {
 			break;
 			case 'medium':
 				$this->cookieLifeTime = 7 * 86400;
+				if (function_exists('ini_set')) {
+					ini_set('session.referer_check', $this->host);
+				}
 			break;
 			case 'low':
 			default:
@@ -489,13 +493,13 @@ class CakeSession extends Object {
  */
 	function __checkValid() {
 		if ($this->read('Config')) {
-			if ($this->_userAgent == $this->read("Config.userAgent") && $this->time <= $this->read("Config.time")) {
+			if (Configure::read('Session.checkAgent') === false || $this->_userAgent == $this->read("Config.userAgent") && $this->time <= $this->read("Config.time")) {
 				$this->write("Config.time", $this->sessionTime);
 				$this->valid = true;
 			} else {
+				$this->destroy();
 				$this->valid = false;
 				$this->__setError(1, "Session Highjacking Attempted !!!");
-				$this->destroy();
 			}
 		} else {
 			srand ((double)microtime() * 1000000);
diff --git a/cake/tests/cases/libs/session.test.php b/cake/tests/cases/libs/session.test.php
index 4c71056d4..689a23faf 100644
--- a/cake/tests/cases/libs/session.test.php
+++ b/cake/tests/cases/libs/session.test.php
@@ -88,6 +88,18 @@ class SessionTest extends UnitTestCase {
 		$this->assertEqual($this->Session->read('SessionTestCase'), null);
 	}
 
+	function testCheckUserAgentFalse() {
+		Configure::write('Session.checkAgent', false);
+		$this->Session->_userAgent = md5('http://randomdomainname.com' . Configure::read('Security.salt'));
+		$this->assertTrue($this->Session->valid());
+	}
+
+	function testCheckUserAgentTrue() {
+		Configure::write('Session.checkAgent', true);
+		$this->Session->_userAgent = md5('http://randomdomainname.com' . Configure::read('Security.salt'));
+		$this->assertFalse($this->Session->valid());
+	}
+
 	function tearDown() {
 		$this->Session->del('SessionTestCase');
 		unset($this->Session);