1

I'm working through a book which creates this function for destroying a session:

function destroy_session_and_data()
{
session_start();
$_SESSION = array();
if (session_id() != "" || isset($_COOKIE[session_name()]))
    setcookie(session_name(), '', time() - 2592000, '/');
session_destroy();
}

I was wondering whether the conditional statement is overly long?

Could it not be rewritten as the following:

if (session_id() != "" || isset(session_name()))

That is, doesn't session_name() return the value 'PHPSESSID' without the need for a specific reference to the $_COOKIE array?

Going further, could the conditional not just be written like this:

if (session_id() != "")

Seeing as session_id() returns the VALUE of the key [PHPSESSID] in the $_COOKIE array, if it is not empty then surely it goes without saying that session_name(), which returns the KEY [PHPSESSID], will be set, because they exist together as a name/value pair in the $_COOKIE array?

Cheers for any help!

Nathan
  • 11
  • 2
  • @Deepanshu: Why? There are only two string values that would pass `isset` but fail `!empty` (`''` and `'0'`) and both of them cannot be used as session names. – Jon Sep 06 '13 at 10:38
  • @Jon you are right, it just makes it more error proof I guess, I am always confused at that too !! well @ Nathan http://stackoverflow.com/questions/7191626/isset-and-empty-what-to-use this link might clear out things – Deepanshu Goyal Sep 06 '13 at 10:42
  • @Deepanshu: The manual is enough to explain how `empty` works, there should be no confusion here. You suggested changing `if (x)` to `if (x && true)` which is obviously redundant. – Jon Sep 06 '13 at 10:44
  • @Jon placing !empty ('') is not redundant because who knows, it might be getting set blank/empty/or a space from somewhere... I always prefer both – Deepanshu Goyal Sep 06 '13 at 10:46
  • @Deepanshu: "because who knows"? The **manual** knows, and it tells those who read it. – Jon Sep 06 '13 at 10:47
  • $var = ""; if(empty($var)) true because "" is considered empty if(isset($var)) true because var is set just read these lines – Deepanshu Goyal Sep 06 '13 at 10:48
  • @Deepanshu: Yeah, but `''` is not a value that `session_name()` can return *because it is not a valid session name*: "The session name can't consist of digits only, at least one letter must be present." – Jon Sep 06 '13 at 10:50
  • @Jon I know this all Jon, let the OP decide what he wants... – Deepanshu Goyal Sep 06 '13 at 10:52
  • @Deepanshu: Whilst I appreciate your help, my question wasn't really concerned with the nuances of the empty() or isset() functions. My question was whether the if statement was unnecessarily long by appealing to two sides of the same coin, i.e. the session name and the session id. – Nathan Sep 06 '13 at 12:06
  • I've just realised the answer to the first part of my question. If you try using just `isset(session_name())` you receive the following error message: `Fatal error: Can't use function return value in write context` so it must be written as `isset($_COOKIE[session_name()])` – Nathan Sep 06 '13 at 16:11

1 Answers1

0

Since the conditional runs after session_start¹, the isset($_COOKIE[session_name()]) check seems redundant to me.

What are the circumstances where the session id might be empty and at the same time the isset check would be true? The only one I can think of is when session id persistence is not implemented with cookies, but a cookie with the session name has nevertheless been received from the client. In this case clearing the cookie will have no effect because, well, the session doesn't use cookies.

So as far as I can tell you can indeed simplify the condition to

if (session_id() != "")

¹ If the code ran before session_start then the isset would be able to detect if a session will be continued when session_start is later called, although this particular check is simplified and does not handle all cases correctly. In addition, clearing the cookie as a response would not change anything for the current request so while the test itself might theoretically useful, the test + response code as presented is meaningless.

Jon
  • 428,835
  • 81
  • 738
  • 806
  • Cheers Jon. A quick question: when you say that 'If the code ran before session_start then the isset would be able to detect if a session will be continued when session_start is later called,' I was wondering how this would work? I assumed that before session_start is executed, $_COOKIE[session_name()] would return nothing. – Nathan Sep 06 '13 at 15:39
  • @Nathan: Wrong assumption basically. `$_COOKIE` is populated from the get-go, and `session_name()` always returns some value (read from php.ini unless you override it). If a cookie with that name happens to be set then `$_COOKIE[session_name()]` would be its value, nothing out of the ordinary. – Jon Sep 06 '13 at 17:22