Viewed   141 times

Is this bad practice?

if ($_SESSION['something'] == '')
    echo 'the session is empty';

Is there a way to check if its empty or it is not set? I'm actualy doing this:

if (($_SESSION['something'] == '') || (!isset($_SESSION['something'])) {
    echo 'the session is either empty or doesn't exist';

Does !isset just checks if a $_SESSION[''] exist and doesn't check if, is there are values in the array or not



I would use isset and empty:

if(isset($_SESSION['blah']) && !empty($_SESSION['blah'])) {
   echo 'Set and not empty, and no undefined index error!';

array_key_exists is a nice alternative to using isset to check for keys:

if(array_key_exists('blah',$_SESSION) && !empty($_SESSION['blah'])) {
    echo 'Set and not empty, and no undefined index error!';

Make sure you're calling session_start before reading from or writing to the session array.

Tuesday, September 20, 2022

In PHP versions prior to 5.4, you can just the session_id() function:

$has_session = session_id() !== '';

In PHP version 5.4+, you can use session_status():

$has_session = session_status() == PHP_SESSION_ACTIVE;
Thursday, November 17, 2022

You can modify another users session (see below), although personally, I would recommend against it. As I imagine it can open up a whole world of session hijacking and other vulnerabilities.

With your example use case

A common user is logged, while in the same time an administrator uses the Admin functions and change some value for this user. If the value is not something obtained from the database every time, the session variable for that current logged in user need to have its value changed.

You would be better of updating the value in the database and then just checking to see if it's changed before you process the next page. If you don't want to be checking multiple user fields before each page load then when you update the user in the admin panel, you can build a hash of the values and add it to a new column called session_hash. Then just compare this field on page load

But if you still want to modify another user's session, you can set your current session_id to the targets.

// End my current session and save its id
$my_session_id = session_id();

// Modify our target session 
$_SESSION['is_logged_in'] = false;

// Start our old session again



Example Src:

Monday, December 5, 2022

Instead of setting the time in ini to a fixed length, remind that session timeout is reset on reload. So create some ajax code that does a request every 5 minutes or so to a file (image or smth). This way the timer is reset every 5 minutes and users can spend a day filling out your forms.

Saturday, November 5, 2022

session_status is available for PHP v5.4 and later, maybe that's why.

You can try with session_id :

session_id() returns the session id for the current session or the empty string ("") if there is no current session (no current session id exists).

Just what you need for PHP below 5.4 ! ;)

Thursday, December 15, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :