[thelist] PHP Session ID stopping HTML validation
misterhaan
misterhaan at track7.org
Fri Mar 31 08:12:18 CST 2006
john at johnallsopp.co.uk wrote:
> I'm not sure under what circumstances PHP does this, though, so maybe
> I'm missing something.
>
PHP adds the session id whenever there is a session id and PHP didn't
get it from $_COOKIES['PHPSESSID'], so long as session.use_trans_sid is
set to 1. When a session is started, PHP automatically sends a cookie
called PHPSESSID, so on subsequent page requests, a useragent that
accepts cookies will send it back so PHP can continue the same session.
Both bots and browsers making their first request to the page will see
PHPSESSID added in the HTML.
> The SESSID doesn't appear to the user running a browser because that
> accepts cookies. I think sticking SESSID into the form is PHP's way of
> passing the session id when the browser doesn't accept cookies. I
> presume the W3C validator acts like a browser that doesn't.
Mostly correct, but PHP doesn't know if the useragent accepts cookies
unless the useragent has sent it the cookie it wants to set. Neither
the validator nor a browser on its first visit to the site will be
sending that cookie under most circumstances.
I agree with the suggestion that turning off session.use_trans_sid is
your best option. Its only downside is that if you have any visitors
with cookies turned off, they will start a new session with each page load.
More information about the thelist
mailing list