What are you going to do? Pack up and go home? Not so fast!
Simply add the following line to the top of your PHP code before all that session stuff happens...
Phew, you're safe. But wait! Right when you thought PHPSESSID wouldn't give you anymore trouble, you make a page with a form. Now it's putting a hidden field right after your <form> tag and it breaks validation again!
Spray some of this at the top of your code...
ini_set('url_rewriter.tags', "a=href, area=href, frame=src, fieldset=");
And the world is safe, once again.