Pages are failing to validate

[Scott]

Pages on my site that have a form on them are not validating to XHTML 1.0 Strict. The problem occurs only when I copy the page from my local web server over to my account here for production. It appears that the web server, or something, here at glowhost is adding a hidden input tag that contains a php session id right after my form tag. Since the mysteriously appearing hidden input tag is not encapsulated in a p (or similar) tag it is causing these pages to fail validation. I have never encountered this situation in the past and am not sure how to handle this.

Any input would be greatly appreciated.

Thanks in advance.

[Matt]

That sounds very unusual. How are you uploading the site? Got a link to it and where in the source you see it?

[Scott]

I am uploading FTP over TLS.

Here is one example: http://www.allmartech.com/email-a-fr...llmartech.com/

This is even more strange, when I view source from my browser I see my code as expected:

HTML Code:

<form method="post"  action="http://www.allmartech.com/email-a-friend.php?ref=www.allmartech.com/">
<p><input name="ref" type="hidden" value="www.allmartech.com/" /></p>
<p><input name="action" type="hidden" value="transmit" /></p>

However, when I validate w3c sees:

HTML Code:

<form method="post" action="http://www.allmartech.com/email-a-friend.php?ref=www.allmartech.com/"><input type="hidden" name="PHPSESSID" value="b4824038e1828bccfbd183a3d3bfb174" />

[Scott]

Some progres.

My local php.ini file has the following turned off: session.use_trans_sid, while gloowhost has this on.


Checking further ...

[Scott]

More info from php.net ...

**********************************
session.use_trans_sid boolean session.use_trans_sid whether transparent sid support is enabled or not. Defaults to 0 (disabled).

Note: For PHP 4.1.2 or less, it is enabled by compiling with --enable-trans-sid. From PHP 4.2.0, trans-sid feature is always compiled.
URL based session management has additional security risks compared to cookie based session management. Users may send a URL that contains an active session ID to their friends by email or users may save a URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example.

url_rewriter.tags string url_rewriter.tags specifies which HTML tags are rewritten to include session id if transparent sid support is enabled. Defaults to a=href,area=href,frame=src,input=src,form=fakeentr y,fieldset=

Note: If you want XHTML conformity, remove the form entry and use the <fieldset> tags around your form fields.

********************************************

The fieldset tag doesn't work because the glowhost url_rewriter.tags is set to "a=href,area=href,frame=src,form=,fieldset="

[jmarcv]

I assume you are using sessions and need them? Sounds like you want this

session.use_cookies ON
session.use_only_cookies ON

[Scott]

Well it looks like I found a work around by changing the glowhost ini setting for url_rewriter.tags.

I would like to open a discussion as to why session.use_trans_sid is on if the default value is suppose to be disabled.

Thanks

[jmarcv]

Laurens Holst Says:
July 28th, 2004 at 9:13 pm Another solution for XHTML
As far as XHTML validation is concerned, another nice solution with the added advantage that it doesn’t disable the trans_sid functionality itself is:
ini_set(’arg_separator.input’,'&amp;’);
ini_set(’arg_separator.output’,'&amp;’);
It simply changes the invalidating ampersant from & to &amp;, solving the problem! This is also a good solution if ini_set(’session.use_trans_sid’,'0′) doesn’t work but you don’t want to/can’t temper with .htaccess files.
~Grauw

http://www.mtdev.com/2002/06/why-you...use_trans_sid/

Good discussion here.
http://www.mtdev.com/2002/06/why-you...use_trans_sid/