PHP :: Bug #22070 :: trans_id: Hidden fields placed incorrectly

Bug #22070	trans_id: Hidden fields placed incorrectly
Submitted:	2003-02-05 08:33 UTC	Modified:	2003-02-09 16:00 UTC
From:	jonas at understroem dot dk	Assigned:
Status:	Closed	Package:	Session related
PHP Version:	4.3.0	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	jonas at understroem dot dk
New email:
PHP Version:		OS:

New/Additional Comment:

[2003-02-05 08:33 UTC] jonas at understroem dot dk

When using session.use_trans_sid, a hidden input field containing the session name and ID is placed right after the <form> tag. Unfortually, this makes the HTML invalid if you're using XHTML 1.1, strict XHTML 1.0, or strict HTML 4.0: All input fields (even hidden ones) must be placed inside a block-level element such as <div> or <p>.

The solution: When the parser discovers a form on the page, it should place the hidden field containing the session name + ID right next to one of the other input fields:

The original page:

<form action='some.php' method='post'>
  <div>
    <input type='text' name='yourName'/>
  </div>
</form>

After being processed by the parser:

<form action='some.php' method='post'>
  <div>
    <input type='hidden' name='PHPSESSID' value='920203'/><input type='text' name='yourName'/>
  </div>
</form>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-02-05 09:16 UTC] magnus@php.net

Output from http://validator.w3.org: 
Line 7, column 115: document type does not allow element 
"input" here; missing one of "ins", "del", "h1", "h2", 
"h3", "h4", "h5", "h6", "p", "div", "address", "fieldset" 
start-tag 
 
  ...="f78cfab3aa4745920992c99cabedc75f" /> 
                                          ^

[2003-02-05 16:01 UTC] sniper@php.net

You can disable the adding of the hidden field by
removing 'form=' from url_rewriter.tags

[2003-02-09 15:36 UTC] node at nodefall dot de

lol 

is this the way how php is fixing bugs?

[2003-02-09 16:00 UTC] sas@php.net

For xhtml, you use <form><fieldset>, so that the rewriter will include the hidden input field after the fieldset.

[2003-02-10 12:25 UTC] node at nodefall dot de

1. i won't use <fieldset> ... i use <div> instead

2. If i use fieldset (4.3.0) this is the result

<form id="session" method="post" action="?act=login"><input type="hidden" name="PHPSESSID" value="8a918ae1b8091340b6bdabebc43d623a" /><fieldset><input type="hidden" name="PHPSESSID" value="8a918ae1b8091340b6bdabebc43d623a" />

very funny

[2004-09-29 14:00 UTC] zhou140 at yahoo dot com dot cn

fix this bug please

it is still there at 4.3.8

this cause html 4.01 strict to fail.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Oct 26 06:00:02 2025 UTC