Fri, 10 Apr 2026 17:02:29 +0000 https://bugs.horde.org/ticket/1022 Collapsing Horde sidebar results in empty cookie Summary: After having expanded several nodes in the Horde sidebar, collapsing all of them causes an empty cookie to be sent to the browser. Server-side software such as the Apache mod_security module might detect this as an exploit of some sort, as seen in the mod_security audit report below: ======================================== Request: x.x.x.x - - [27/Dec/2004:09:42:27 --0500] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 403 229 Handler: application/x-httpd-php ---------------------------------------- GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://horde.prwdot.org/services/portal/sidebar.php Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322) Host: x.y.z Connection: Keep-Alive Cookie: Horde=xxxxxxxxxxxxxxxxxxxxx; auth_key=xxxxxxxxxxxxxxxxxxxx; imp_key=xxxxxxxxxxxxxxxxx; horde_menu_expanded= mod_security-message: Invalid cookie format: Cookie value is missing #2 mod_security-action: 403 HTTP/1.1 403 Forbidden Content-Length: 229 Keep-Alive: timeout=30, max=59 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --------------------- As seen in the above report, the horde_menu_expanded cookie is empty. In this particular mod_security configuration, mod_security generates an error 403 denied. A browser-side workaround is to simply re-expand one or more Horde menus, thus sending back a non-empty horde_menu_expanded cookie. For a server-side code fix, perhaps change Horde_Tree.prototype._setCookie in horde/templates/javascript/tree.js so that an empty cookie will not be set in the browser, or so that it would set the cookie to expire in the past, thus removing the empty cookie at the browser's earliest convenience. I'm sure there is some other good way to get around this issue. Mon, 27 Dec 2004 15:08:30 +0000 https://bugs.horde.org/ticket/1022#t3942 P.S. I have confirmed this behavior in: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322) (aka MSIE 6 on Windows XP Pro SP2) and User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041216 Firefox/1.0+ (aka Firefox 1.0+ nightly build on Windows XP Pro SP2) Mon, 27 Dec 2004 16:03:27 +0000 https://bugs.horde.org/ticket/1022#t3943 Interestingly, I do *not* see this behavior with Safari 1.2.4 (v125.12) on Mac OS X 10.3.7. Just Firefox and MSIE on Windows. Thu, 30 Dec 2004 02:26:38 +0000 https://bugs.horde.org/ticket/1022#t3974 Cookie values shouldn't be empty anymore; try this patch: http://cvs.horde.org/diff.php/horde/templates/javascript/tree.js?r1=1.62&r2=1.62.2.1&ty=u Fri, 31 Dec 2004 04:30:50 +0000 https://bugs.horde.org/ticket/1022#t3998 Yep, that fixed the empty cookie behavior. Thanks! Fri, 31 Dec 2004 04:40:24 +0000 https://bugs.horde.org/ticket/1022#t4000