valid XHTML with PHP sessions

a google search for "phpsessionid valid xhtml" currently returns 13 results, none of which explain how to produce valid xhtml with php's automatic phpsessionid. it took me a while to figure it out, so hopefully this post will show up in those results soon and help someone else out. what you need to do is put this at the beginning of your script:

ini_set( 'arg_separator.output' , '&' );
ini_set( 'url_rewriter.tags' , 'a=href,area=href,frame=src,input=src,fieldset=' );

the first part will make the automatic URL rewriting for sessions use the HTML entity &amp; rather than the default &, which is invalid XHTML. the next line will add the hidden form input (which is valid XHTML) inside a <fieldset> rather than the default, immediately after the <form> tag, which is invalid XHTML. if you don't already have them, you need to put <fieldset> tags inside all <form> tags to get forms to work with PHP sessions. this will change the appearance of your forms, but you can change it back with some CSS styling.

what's a phpsessionid?
i guess i should have put my standard geek disclaimer on this.

phpsessionid is a string of text a php script uses to identify you between pages. if you have cookies, it goes in the cookie, but if you don't have cookies, it gets automatically added to any links, so that when you click on a link, the new page will know you are the same person who just loaded the previous page. you can see this in action by turning off cookies and clicking around
I've been making valid xhtml strict web pages for a while now and have always had a problem with the php session id. It never really mattered until recently as I only ever used it for the CMS of a site (the users of which didnt care about the strict xhtml). However, recently I have had to make a site that requires sessions on the public pages, and had the problem of it not validating against the w3c validator. This fix has sorted that out. Great work! It is really appreciated.
great - about five minutes ago the validation results showed me this error; two minutes later google lead me here.
I don't use the php supplied session handling but I do use url rewriting. I can't believe php does not use the html entity by default. At any rate, your site came right up in a Google search. Thanks for the info.
Excellent - I spent ages searching around for a solution like this. I still find it surprising PHP doesn't use & by default though...
Thank you so much! I was banging my head against the wall trying to figure out how to contain the hidden session
Thanks Scott. Like everyone else I was banging my head against the wall trying to get my session based applications to validate.
THX man!

I had searched the internet before for an earlier project which gave me similar headaches, and now your post showed up on google within seconds... Excellent!
You could also try adding this on your .htaccess file instead.

<IfModule mod_php4.c>

php_flag session.use_trans_sid off


Thanks scott and AlienX both methods seem to work, which is better. I like the idea of just updating one htaccess file.

Turning trans_sid off might cause problems with some users. PHP first tries to save the session id with a cookie but not everyone might have cookies or block them. If you have enabled trans_sid, those users can still use sessions by passing it with urls and in forms. On the other hand, trans_sid is also security risk for session hijacking when inexpirienced users post a url that contains their session id.
scotts solution is more correct but a bit more complicated to do. AlienXs solution is more a work-around than a fix.
I was yet looking for a solution, because I cannot modify my provider's php.ini, and your hint works well for me. Thanks a lot!
Thanks for posting this Scott, exactly what I needed.
just another positive comment, great work - thanks!
oh yessssssssssssssssssn you saved my life !
big thanks
Marvelous, this works for me.
But i don't understand the url-rewriter concept, could you explain please ?
URLs are only rewritten if cookies are turned off. In that case, standard URLs have a session ID appended to the query string. Forms get a hidden input field to pass the session ID, but by default this input field is put immediately after the form tag, which creates invalid XHTML. The second line of code changes this so that it adds the input field immediately after a fieldset tag (which goes within a form tag). This creates valid XHTML.
Sorry; but this page doesn't seem to validate.
Thanks, ccMods, my weblog was ironically invalid, though it had nothing to do with PHP sessions. I fixed it nonetheless.
That is the best this I have ever seen. Thankyou for writing this simple solution to my major problem
finally a solution. tnx:)
hey guys,
in which script do i have to put these two lines in? in my php file? i thought there mustnt be anything before the session_start(); ?! so please help me, i really need to know.

got it! i have just placed it in front of the session_start();... seems to work very well! thank mate!
I got the same problem. Thanks a lot!!
Thank you so much! This has been driving me crazy.
I know it makes for a boring comments page, but I'd like to add another vote of thanks.

Fixed my problem and satisfied my anal-retentive streak for producing XHTML Strict instead of Transitional.

And I even (kind of) understood what you did ...

Thank you.
Had some problems at first because I inserted spaces (like this: "tag1=value1, tag2=value2" in the the second argument string for ini_set. The page validated but no phpsessionid was added to the form inside . The strings were identical except for the spaces so I guess the php-parser just don't like the spacing. Thought I'd share this as there might be more people out there who like to "space-things-up".

Excellent info, Scott!
Yes! This is what I was looking for for about a month! Everywhere on internet only the same question and no answer. (except the one using php.ini = useless) God bless you. :-)

Be number 30:

knows half of 8 is