I could have tried

/; foliosec=[a-z]+;/

but I was too lazy to find out if semi-colons need to be escaped (as seems likely), didn't want to start faffing around with regex voodoo, and was tickled by the one-caricature fix (apologies to bastard for that).

The likelihood of another cookie that includes "foliosec" as part of its name in this site is remote.

I'm considering whether using cookies makes the whole thing a bit too fragile, and will try url-based variables instead, which is how e.g. angularjs does it.

Semi-colon doesn't need escaping. Only these do: ^.$*+?\|()[]{}

And it really isn't voodoo; it's a very easy language to learn.

Got the URL-based vars coded up without too much trouble (even learned the simple trick of rewriting the URL hash on the fly) and it seems considerably more responsive than the cookie vars. Probly make the patches live tomorrow.