We are seeing exactly the same issue. I have been able to connect to an offending machine, and ascertained that the issue is not in the web-browser. The issue affects Chrome, Edge and Firefox. You can hard-code the UA string in DEV tools, and when you inspect the network traffic in the browser, the UA is transmitted uncontaminated. But by the time it hits the server it has been tampered with. See below:
Transmitted by browser in headers:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Request 1 hitting the server:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Trailer/90.3.4112.13
Request 2 hitting the server:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Agency/100.8.3787.88
I think AVG anti-virus is to blame. Once it was removed and replaced with BitDefender or Avast, the problem went away. I’m going to contact AVG now to see if they are the culprit. Hopefully other people will find this post and add to it and we can start to get to the bottom of the issue.
If the UA is used as part of your authentication / security then the change between requests is a real nuisance.