valid XHTML with PHP sessions

a google search for "phpsessionid valid xhtml" currently returns 13 results, none of which explain how to produce valid xhtml with php's automatic phpsessionid. it took me a while to figure it out, so hopefully this post will show up in those results soon and help someone else out. what you need to do is put this at the beginning of your script:

ini_set( 'arg_separator.output' , '&' );
ini_set( 'url_rewriter.tags' , 'a=href,area=href,frame=src,input=src,fieldset=' );

the first part will make the automatic URL rewriting for sessions use the HTML entity &amp; rather than the default &, which is invalid XHTML. the next line will add the hidden form input (which is valid XHTML) inside a <fieldset> rather than the default, immediately after the <form> tag, which is invalid XHTML. if you don't already have them, you need to put <fieldset> tags inside all <form> tags to get forms to work with PHP sessions. this will change the appearance of your forms, but you can change it back with some CSS styling.

Posted by Scott Reynen on Nov 14, 2004 — 12:57 pm | 29 comments | Tags: php xhtml
 
 
 
what's a phpsessionid?
 
jessica on Nov 17, 2004 – 2:06 pm
1
 
 
 
i guess i should have put my standard geek disclaimer on this.

phpsessionid is a string of text a php script uses to identify you between pages. if you have cookies, it goes in the cookie, but if you don't have cookies, it gets automatically added to any links, so that when you click on a link, the new page will know you are the same person who just loaded the previous page. you can see this in action by turning off cookies and clicking around randomchaos.com.
 
scott reynen on Nov 17, 2004 – 6:02 pm
2
 
 
 
I've been making valid xhtml strict web pages for a while now and have always had a problem with the php session id. It never really mattered until recently as I only ever used it for the CMS of a site (the users of which didnt care about the strict xhtml). However, recently I have had to make a site that requires sessions on the public pages, and had the problem of it not validating against the w3c validator. This fix has sorted that out. Great work! It is really appreciated.
 
Ben on Dec 7, 2004 – 8:37 am
3
 
 
 
great - about five minutes ago the validation results showed me this error; two minutes later google lead me here.
thx!
 
christian on Dec 7, 2004 – 10:49 am
4
 
 
 
I don't use the php supplied session handling but I do use url rewriting. I can't believe php does not use the html entity by default. At any rate, your site came right up in a Google search. Thanks for the info.
 
Jared on Dec 10, 2004 – 6:12 pm
5
 
 
 
Excellent - I spent ages searching around php.net for a solution like this. I still find it surprising PHP doesn't use & by default though...
 
Alan on Jan 4, 2005 – 4:08 pm
6
 
 
 
Thank you so much! I was banging my head against the wall trying to figure out how to contain the hidden session
 
Jeremy on Jan 23, 2005 – 1:40 pm
7
 
 
 
Thanks Scott. Like everyone else I was banging my head against the wall trying to get my session based applications to validate.
 
Joe on Feb 15, 2005 – 8:17 pm
8
 
 
 
THX man!

I had searched the internet before for an earlier project which gave me similar headaches, and now your post showed up on google within seconds... Excellent!
 
Vincent on Feb 19, 2005 – 1:22 pm
9
 
 
 
You could also try adding this on your .htaccess file instead.

<IfModule mod_php4.c>

php_flag session.use_trans_sid off

</IfModule>

.alienx
 
AlienX on Feb 21, 2005 – 5:42 am
10
 
 
 
Thanks scott and AlienX both methods seem to work, which is better. I like the idea of just updating one htaccess file.

Best
 
riki on Mar 17, 2005 – 5:56 am
11
 
 
 
Turning trans_sid off might cause problems with some users. PHP first tries to save the session id with a cookie but not everyone might have cookies or block them. If you have enabled trans_sid, those users can still use sessions by passing it with urls and in forms. On the other hand, trans_sid is also security risk for session hijacking when inexpirienced users post a url that contains their session id.
scotts solution is more correct but a bit more complicated to do. AlienXs solution is more a work-around than a fix.
 
Adrian on Apr 22, 2005 – 5:40 am
12
 
 
 
I was yet looking for a solution, because I cannot modify my provider's php.ini, and your hint works well for me. Thanks a lot!
 
MacMark on Apr 28, 2005 – 9:06 am
13
 
 
 
Thanks for posting this Scott, exactly what I needed.
 
Benny on May 25, 2005 – 2:07 pm
14
 
 
 
just another positive comment, great work - thanks!
 
LukeManic on Aug 20, 2005 – 1:39 pm
15
 
 
 
oh yessssssssssssssssssn you saved my life !
big thanks
 
JaqueJo on Aug 22, 2005 – 7:29 pm
16
 
 
 
Marvelous, this works for me.
But i don't understand the url-rewriter concept, could you explain please ?
 
miss katy on Aug 22, 2005 – 7:31 pm
17
 
 
 
URLs are only rewritten if cookies are turned off. In that case, standard URLs have a session ID appended to the query string. Forms get a hidden input field to pass the session ID, but by default this input field is put immediately after the form tag, which creates invalid XHTML. The second line of code changes this so that it adds the input field immediately after a fieldset tag (which goes within a form tag). This creates valid XHTML.
 
Scott Reynen on Aug 22, 2005 – 11:16 pm
18
 
 
 
Sorry; but this page doesn't seem to validate.
 
ccMods on Aug 25, 2005 – 6:47 am
19
 
 
 
Thanks, ccMods, my weblog was ironically invalid, though it had nothing to do with PHP sessions. I fixed it nonetheless.
 
Scott Reynen on Aug 26, 2005 – 9:44 pm
20
 
 
 
That is the best this I have ever seen. Thankyou for writing this simple solution to my major problem
 
Dedart on Oct 25, 2005 – 5:17 am
21
 
 
 
finally a solution. tnx:)
 
ns on Nov 10, 2005 – 12:03 pm
22
 
 
 
hey guys,
in which script do i have to put these two lines in? in my php file? i thought there mustnt be anything before the session_start(); ?! so please help me, i really need to know.

thanks
 
alex on Dec 28, 2005 – 8:49 am
23
 
 
 
got it! i have just placed it in front of the session_start();... seems to work very well! thank mate!
 
alex on Dec 28, 2005 – 8:57 am
24
 
 
 
I got the same problem. Thanks a lot!!
 
Mike on Sep 2, 2006 – 10:37 pm
25
 
 
 
Thank you so much! This has been driving me crazy.
 
Dee on Feb 27, 2007 – 4:33 pm
26
 
 
 
I know it makes for a boring comments page, but I'd like to add another vote of thanks.

Fixed my problem and satisfied my anal-retentive streak for producing XHTML Strict instead of Transitional.

And I even (kind of) understood what you did ...

Thank you.
 
Steve on Mar 22, 2007 – 6:33 am
27
 
 
 
Had some problems at first because I inserted spaces (like this: "tag1=value1, tag2=value2" in the the second argument string for ini_set. The page validated but no phpsessionid was added to the form inside . The strings were identical except for the spaces so I guess the php-parser just don't like the spacing. Thought I'd share this as there might be more people out there who like to "space-things-up".

Excellent info, Scott!
Thanks
 
Thomas on Jul 18, 2007 – 1:13 am
28
 
 
 
Yes! This is what I was looking for for about a month! Everywhere on internet only the same question and no answer. (except the one using php.ini = useless) God bless you. :-)
 
Jakub Tomek on Nov 16, 2008 – 4:37 am
29

Be number 30:

 
 
 
knows 2 + one =