Leaderboard

Yes, you're on the right path. And the concepts are a bit confusing. Remember that cookies are sent back and forth between the server and the browser. The $_COOKIES array is populated by the browser sending cookies back to the server. On the login page, the PHP script sets the cookie which means the cookie doesn't exist when the page is first loaded (i.e., it's not sent from the browser to the server upon login submission). So the logic has to factor in that the login page DOESN'T have the cookie, despite actually setting the cookie. Conversely, the cookie exists on the logout page when the page is first loaded but is then deleted (i.e., the cookie is sent from the browser to the server when accessing the logout script). This means the logic has to factor in that the cookie DOES exist upon first running the page. It probably also helps to remember that the includes become part of the page that included them. So when login.php is run without receiving a cookie from the browser, the included file also don't receive that cookie. (In other words, the execution of the included file is not a separate request from the browser.)