a google search for "phpsessionid valid xhtml" currently returns 13 results, none of which explain how to produce valid xhtml with php's automatic phpsessionid. it took me a while to figure it out, so hopefully this post will show up in those results soon and help someone else out. what you need to do is put this at the beginning of your script:

ini_set( 'arg_separator.output' , '&' );
ini_set( 'url_rewriter.tags' , 'a=href,area=href,frame=src,input=src,fieldset=' );

the first part will make the automatic URL rewriting for sessions use the HTML entity &amp; rather than the default &, which is invalid XHTML. the next line will add the hidden form input (which is valid XHTML) inside a <fieldset> rather than the default, immediately after the <form> tag, which is invalid XHTML. if you don't already have them, you need to put <fieldset> tags inside all <form> tags to get forms to work with PHP sessions. this will change the appearance of your forms, but you can change it back with some CSS styling.