My site isn’t validating due to PHPSESSID being seen in the source code, however, this wasn’t happening just a few days ago and I’ve not done anything to cause this, as far as I am aware. My host also denies any knowledge of changing anything.
The PHPSESSID isn’t visible when I view the source of the pages myself, so it seems to be something to do with the interaction between my site and the validator. Any ideas how I can resolve it, I have trawled the internet and tried various settings on the server but to no avail.
I know that PHPSESSID is used when cookies are blocked, has the validator changed somehow?
I realise there are other validation issues on there as well but I know how to fix those and will be doing so over the coming days.
Thanks for any advice.
The site is http://www.fantasy-f1-league.com/info.php (that’s a PHP info page, the site is without the file name at the end)
It’s the
session.use_trans_sidoption, which tells PHP to persist the session ID via non-cookie means. That means PHP will be parseing your page, looking for ANY links and forms, and adding the session ID as a query parameter and/or hidden form field.trans_sid is a nasty security risk if you’re doing anything “important”,b ecause it DOES transmit the session ID around in URLs, means it’s utterly trivial to hijack someone’s session, and the session ID will also leak out to other sites in HTTP REFERERS and whatnot.