W3C home > Mailing lists > Public > www-validator@w3.org > February 2006

Re: PHP session tracking in forms generating invalid markup

From: Samuel Rinnetmaki <samuel@iki.fi>
Date: Sun, 26 Feb 2006 13:37:26 +0200 (EET)
To: www-validator@w3.org
Cc: DifVgg Vorstand <vorstand@difvgg-priebe.de>
Message-ID: <Pine.LNX.4.44.0602261051270.15913-100000@mail.rumpalipoika.fi>

> > <form action="?log=login_r" method="post"><input type="hidden" 
> > name="PHPSESSID" value="46eda3e63dbdf10bc67f702249d90bda" />
> Generating the HTML by hand was the advice I recieved (from PHP
> experts) when I had that problem. I'm not aware of anything
> better.

I'm not sure about _better_, but alternatives exists.

PHP documentation [1] says:

url_rewriter.tags string
    url_rewriter.tags specifies which HTML tags are rewritten to include
    session id if transparent sid support is enabled. Defaults to 
    a=href,area=href,frame=src,input=src,form=fakeentry,fieldset=

        Note: If you want XHTML conformity, remove the form entry and 
        use the <fieldset> tags around your form fields.

Although the original poster isn't using XHTML, I believe his problem 
would be solved by changing url_rewriter.tags not to include form (and 
adding at least one fieldset element to each form).

You could also try to set form=action so that the session id would be 
added to the action parameters of all form elements in a same way that 
it's added to the href parameters of all a elements.  However, at least 
my PHP versions (4.3.10-16 and 4.4.2) will append the session id to the 
action parameter but in addition to that, it will also create the hidden 
input directly after the form element.  I consider this a PHP bug.

This problem is somewhat related to [2] (but has really nothing to do 
with ampersands).  Perhaps someone wants to document also this issue and 
proposed solutions?

Regards,

    Samuel

[1] http://php.net/manual/en/ref.session.php
[2] http://www.w3.org/QA/2005/04/php-session
Received on Sunday, 26 February 2006 12:02:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 25 April 2012 12:14:20 GMT