Tickets :: [#1022] Collapsing Horde sidebar results in empty cookie

6.0.0-beta1

7/18/25

Summary	Collapsing Horde sidebar results in empty cookie
Queue	Horde Base
Queue Version	3.0
Type	Bug
State	Resolved
Priority	2. Medium
Owners
Requester	peter (at) prwdot (dot) org
Created	12/27/2004 (7508 days ago)
Due
Updated	12/31/2004 (7504 days ago)
Assigned
Resolved	12/31/2004 (7504 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	No

12/31/2004 04:40:24 AM	peter (at) prwdot (dot) org	Comment #5	Reply to this comment
Yep, that fixed the empty cookie behavior. Thanks!

12/31/2004 04:30:50 AM	Chuck Hagenbuch	Comment #4 State ⇒ Resolved	Reply to this comment
Cookie values shouldn't be empty anymore; try this patch: http://cvs.horde.org/diff.php/horde/templates/javascript/tree.js?r1=1.62&r2=1.62.2.1&ty=u

12/30/2004 02:26:38 AM	peter (at) prwdot (dot) org	Comment #3	Reply to this comment
Interestingly, I do not see this behavior with Safari 1.2.4 (v125.12) on Mac OS X 10.3.7. Just Firefox and MSIE on Windows.

12/27/2004 04:03:27 PM	peter (at) prwdot (dot) org	Comment #2	Reply to this comment
P.S. I have confirmed this behavior in: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322) (aka MSIE 6 on Windows XP Pro SP2) and User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041216 Firefox/1.0+ (aka Firefox 1.0+ nightly build on Windows XP Pro SP2)

12/27/2004 03:08:30 PM	peter (at) prwdot (dot) org	Comment #1 State ⇒ Unconfirmed Priority ⇒ 2. Medium Type ⇒ Bug Summary ⇒ Collapsing Horde sidebar results in empty cookie Queue ⇒ Horde Base	Reply to this comment
Summary: After having expanded several nodes in the Horde sidebar, collapsing all of them causes an empty cookie to be sent to the browser. Server-side software such as the Apache mod_security module might detect this as an exploit of some sort, as seen in the mod_security audit report below: ======================================== Request: x.x.x.x - - [27/Dec/2004:09:42:27 --0500] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 403 229 Handler: application/x-httpd-php ---------------------------------------- GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://horde.prwdot.org/services/portal/sidebar.php Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322) Host: x.y.z Connection: Keep-Alive Cookie: Horde=xxxxxxxxxxxxxxxxxxxxx; auth_key=xxxxxxxxxxxxxxxxxxxx; imp_key=xxxxxxxxxxxxxxxxx; horde_menu_expanded= mod_security-message: Invalid cookie format: Cookie value is missing #2 mod_security-action: 403 HTTP/1.1 403 Forbidden Content-Length: 229 Keep-Alive: timeout=30, max=59 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --------------------- As seen in the above report, the horde_menu_expanded cookie is empty. In this particular mod_security configuration, mod_security generates an error 403 denied. A browser-side workaround is to simply re-expand one or more Horde menus, thus sending back a non-empty horde_menu_expanded cookie. For a server-side code fix, perhaps change Horde_Tree.prototype._setCookie in horde/templates/javascript/tree.js so that an empty cookie will not be set in the browser, or so that it would set the cookie to expire in the past, thus removing the empty cookie at the browser's earliest convenience. I'm sure there is some other good way to get around this issue.