[thelist] PHP Session ID stopping HTML validation

misterhaan misterhaan at track7.org
Fri Mar 31 08:12:18 CST 2006

john at johnallsopp.co.uk wrote:
> I'm not sure under what circumstances PHP does this, though, so maybe
> I'm missing something.
PHP adds the session id whenever there is a session id and PHP didn't 
get it from $_COOKIES['PHPSESSID'], so long as session.use_trans_sid is 
set to 1.  When a session is started, PHP automatically sends a cookie 
called PHPSESSID, so on subsequent page requests, a useragent that 
accepts cookies will send it back so PHP can continue the same session.  
Both bots and browsers making their first request to the page will see 
PHPSESSID added in the HTML.

> The SESSID doesn't appear to the user running a browser because that
> accepts cookies. I think sticking SESSID into the form is PHP's way of
> passing the session id when the browser doesn't accept cookies. I
> presume the W3C validator acts like a browser that doesn't.
Mostly correct, but PHP doesn't know if the useragent accepts cookies 
unless the useragent has sent it the cookie it wants to set.  Neither 
the validator nor a browser on its first visit to the site will be 
sending that cookie under most circumstances.

I agree with the suggestion that turning off session.use_trans_sid is 
your best option.  Its only downside is that if you have any visitors 
with cookies turned off, they will start a new session with each page load.

More information about the thelist mailing list