man what is going on this ain't exploit at all if ($action == "logout") { Setcookie("loginpwd","",time() -86400); Setcookie("loginuser","",time() - 86400); include($logout_page); exit; } else if ($action == "login") u have if here and its say if u logout and u have exit too so it won't execute anything after that