Issue encountered while trying to keep website private

After reviewing a reset password link, I realised that two variables were being passed via $_GET: key and login. I’ve added the below code to the beginning of my redirect_user() function:

if(isset($_GET['key'])  && isset($_GET['login']))
{
return ;
}

It didn’t fix the issue and i was still being redirected to the login page whenever I click on the reset password link, however when I made the following edit:

if(!isset($_GET['key'])  && !isset($_GET['login']))
    {
    return ;
    }

It works as intended but I’m confused why.