john at johnallsopp.co.uk wrote: > I'm not sure under what circumstances PHP does this, though, so maybe > I'm missing something. > PHP adds the session id whenever there is a session id and PHP didn't get it from $_COOKIES['PHPSESSID'], so long as session.use_trans_sid is set to 1. When a session is started, PHP automatically sends a cookie called PHPSESSID, so on subsequent page requests, a useragent that accepts cookies will send it back so PHP can continue the same session. Both bots and browsers making their first request to the page will see PHPSESSID added in the HTML. > The SESSID doesn't appear to the user running a browser because that > accepts cookies. I think sticking SESSID into the form is PHP's way of > passing the session id when the browser doesn't accept cookies. I > presume the W3C validator acts like a browser that doesn't. Mostly correct, but PHP doesn't know if the useragent accepts cookies unless the useragent has sent it the cookie it wants to set. Neither the validator nor a browser on its first visit to the site will be sending that cookie under most circumstances. I agree with the suggestion that turning off session.use_trans_sid is your best option. Its only downside is that if you have any visitors with cookies turned off, they will start a new session with each page load.