I've noticed PHP sessions automatically maintain themselves if a session cookie can't be or isn't set - by appending CGI parameters to links, and/or adding a hidden field to forms.

Fantastic ... but ... the CGI parameters it generates are invalid - because they use & instead of &amp;amp; - and the form fields it inserts are also invalid - in XHTML Strict form fields have to be inside <fieldset>s.

So what can I do about that?

You can influence which separator is used by PHP to output URL strings. Look at http://www.php.net/manual/en/configuration.directives.php for arg_separator.output. It should be possible to set this from a .htacces file if you don't have access to the php.ini file.

As for the fieldset issue... which version of XHTML? I just validated a XHTML1.0 page which contains input fields without <fieldsets>, and it worked. So I tried looking up if fieldsets are now mandatory for web authoring... but nada... I couldn't find good info and had to resort to read the DTD, which I'm not very good at... shouldn't XHTML be supposed to make web authoring easier? Instead it seems they require everyone to be quite XML savy to get a final answer from the docs. Not very user-friendly IMO.
And back to your question: I would'nt care. ;)
The file is only temporary rewritten once for every user, so you still have the option of parsing the file later and extracting contents. Or am I missing something?