[thelist] PHP Session ID stopping HTML validation

Max Schwanekamp lists at neptunewebworks.com
Fri Mar 31 04:10:32 CST 2006

Ian Anderson wrote:
> john at johnallsopp.co.uk wrote:
>>It's the fact that PHP puts its session id field straight after the
>><form> tag that's stopping the page from validating.
> Is this some additional module, or some php.ini switch, then? I use 
> cookie-based session handling in PHP

This is session.use_trans_sid[0]. A moderate security risk to use it, 
and generally just an irritating "feature" in most situations. Must have 
had some use for someone with access to the PHP core, way back when. 
Most hosts have this disabled for good reason.  If you're on Apache, I 
suggest making sure you have this in your .htaccess file:
php_value session.auto_start 1
php_value session.use_trans_sid 0
php_value session.use_cookies 1
php_value session.use_only_cookies 1
Otherwise, make sure you use ini_set() to at the top of your script.  If 
you want cookie-disabled UAs (most commonly spiders and scrapers) to be 
able to carry a session (?!?!?) toggle that last one.

[0] http://us3.php.net/manual/en/ref.session.php
Max Schwanekamp

More information about the thelist mailing list