PHP :: Bug #22070 :: trans_id: Hidden fields placed incorrectly

Bug #22070	trans_id: Hidden fields placed incorrectly
Submitted:	2003-02-05 08:33 UTC	Modified:	2003-02-09 16:00 UTC
From:	jonas at understroem dot dk	Assigned:
Status:	Closed	Package:	Session related
PHP Version:	4.3.0	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jonas at understroem dot dk
New email:
PHP Version:		OS:

New Comment:

[2003-02-05 08:33 UTC] jonas at understroem dot dk

When using session.use_trans_sid, a hidden input field containing the session name and ID is placed right after the <form> tag. Unfortually, this makes the HTML invalid if you're using XHTML 1.1, strict XHTML 1.0, or strict HTML 4.0: All input fields (even hidden ones) must be placed inside a block-level element such as <div> or <p>.

The solution: When the parser discovers a form on the page, it should place the hidden field containing the session name + ID right next to one of the other input fields:

The original page:

<form action='some.php' method='post'>
  <div>
    <input type='text' name='yourName'/>
  </div>
</form>

After being processed by the parser:

<form action='some.php' method='post'>
  <div>
    <input type='hidden' name='PHPSESSID' value='920203'/><input type='text' name='yourName'/>
  </div>
</form>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-02-05 09:16 UTC] magnus@php.net

Output from http://validator.w3.org: 
Line 7, column 115: document type does not allow element 
"input" here; missing one of "ins", "del", "h1", "h2", 
"h3", "h4", "h5", "h6", "p", "div", "address", "fieldset" 
start-tag 
 
  ...="f78cfab3aa4745920992c99cabedc75f" /> 
                                          ^

[2003-02-05 16:01 UTC] sniper@php.net

You can disable the adding of the hidden field by
removing 'form=' from url_rewriter.tags

[2003-02-09 15:36 UTC] node at nodefall dot de

lol 

is this the way how php is fixing bugs?

[2003-02-09 16:00 UTC] sas@php.net

For xhtml, you use <form><fieldset>, so that the rewriter will include the hidden input field after the fieldset.

[2003-02-10 12:25 UTC] node at nodefall dot de

1. i won't use <fieldset> ... i use <div> instead

2. If i use fieldset (4.3.0) this is the result

<form id="session" method="post" action="?act=login"><input type="hidden" name="PHPSESSID" value="8a918ae1b8091340b6bdabebc43d623a" /><fieldset><input type="hidden" name="PHPSESSID" value="8a918ae1b8091340b6bdabebc43d623a" />

very funny

[2004-09-29 14:00 UTC] zhou140 at yahoo dot com dot cn

fix this bug please

it is still there at 4.3.8

this cause html 4.01 strict to fail.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jul 03 10:01:33 2025 UTC