I usually set my cookies like below. Hopefully, this will help you figure out your issue.

// Use to set cookie session for domain.
$cookiedomain = $_SERVER['SERVER_NAME']; 
$cookiedomain = str_replace('www.', '', $cookiedomain);

if(isset($_POST['remember_me'])){
    setcookie("application_cookname", $_SESSION['username'], time()+60*60*24*365, "/", "." . $cookiedomain);
    setcookie("application_cookpass", md5($_SESSION['password']), time()+60*60*24*365, "/", "." . $cookiedomain);
}

you don't check if the user is actual loged-in in userlogin.php
I would use $_SESSION insted of cookie

@jemz, you are not setting the cookie domain in your code so no it is not necessary to use $_SERVER. If your domain is www.example.com, the str_replace will replace www. with nothing (''). But again, it doesn't seem like you are setting a cookie domain, so all of that info can be stripped.

what'happenig:

login.php
login --> userlogin.php
logout --> userlog-out.php
back --> userlogin.php and because you don't check just display the page

what you need to do is send a cook variable to the nexpage:

if(mysql_num_rows($result)>0)
   {
   $_COOKIE['isValidUser']=True; 
   header('location:userlogin.php');
   }
else
    echo "invalid username and password";

in userlogin.php
check on this variable

this is not secure for a passwoord system because users can just edit these cookies and get access even if they are not a member of youre site

how i standardly do logins is like this:

<?php 
if(ISSET($_POST['login'])){
    $txtusername = $_POST['txtusername'];
    $txtusername = str_replace("'",'',$txtusername);
    $txtusername = str_replace('"','',$txtusername);
    $txtpassword = $_POST['txtpassword'];
    $txtpassword = str_replace("'",'',$txtpassword);
    $txtpassword = str_replace('"','',$txtpassword);

    $sql = "SELECT `user_id` FROM cookie_tbl where name = '$txtusername' and
               password = '$txtpassword'";
    $result= mysql_query($sql);
    if($result !== false && mysql_num_rows($result)>0){
        $userdata = mysql_fetch_assoc($result);
        $token = md5(rand());
        //should check if token already exists in table and make a new one if it does
        //otherwise a user could login as someone else if the token happens to match(unlikely)
        $tokenQuery = "UPDATE `cookie_tbl` SET `token` = '{$token}' WHERE `user_id` = {$userdata['user_id']}"; 
        if(mysql_query($tokenQuery)){
            setcookie('token',$token,time()+(60*60*8),'/');
            header('location:userlogin.php');
        }else{
            echo "error setting token";
        }

    }else{
        echo "invalid username and password";    
    }
}
?>

The on each page of the site i add a required include like so:

-> index.php

<?php
require_once 'app.php';

if($appData['login']){
    //logged in
    echo "Welcome back <span style='color:{$appData['some_preference']};'>{$appData['user_name']}</span>";
}else{
    header('Location: userlogin.php');
}
?>

then the included file checks if the user is logged in or not and pulls some data you might want to personalise the site:

-> app.php

<?php 
$appData = array();
if(ISSET($_COOKIE['token']) && ctype_alnum($_COOKIE['token'])){
    $checkTokenQuery = "SELECT `user_id`,`user_name`,`some_preference` FROM `cookie_tbl` WHERE `token` = '{$_COOKIE['token']}";
    $chkResult = mysql_query($checkTokenQuery);
    if($chkResult !== false && mysql_num_rows($chkResult) == 1){
        $appData = mysql_fetch_assoc($chkResult);
        $appData['login'] = true;
    }else{
        $appData['login'] = false;
    }
}else{
    $appData['login'] = false;
}
?>

Sessions are basically temporary data stored on your hosting server for a client connecting to you, it generates a random token, much like the cookie setup above,to validate your session then once you validate the server has access to variables set whilst that user is connected. such as setting $_SESSION['name'] = 'Biiim'; on one page, once i open another page the session token gets passed along and it will remember that var has been set so you can re-use it by doing echo $_SESSION['name'];.

Cookies are data stored on the users computer so say you set $_COOKIE['name'] = 'Biiim'; that data is stored on my browser and i can go in and edit it, it also requires no validation cause its on my pc anyone could create that cookie without your site even creating it, the cookie method above uses a cookie called token which is some large random string, very hard to guess, the script uses that string to validate a user has logged in correctly and has to match the exact token your script created for the user.

I just set a token cookie then store all other data within mysql, that way it doesnt get lost.

Effectively using that method there is little difference but sessions will always be more secure since the data is stored on your server a person could log on to the users computer and browse his stored cookies - not a good idea to store passwords in cookies. If you want to be really secure you need to use ssl(https) which encrypts data requests so your token can't get hijacked(the thing that identifys you), you generally dont need that unless you are transmitting card details or something quite personal/valuble though.

Thank you so much for this,okay i will try on this code,but i am confuse i have no token field in my cookie_tble if i will put this token field,and how can i create my register.php on this what value i put in the token field.if the user will register.

You will need to create a token field in the table, the token doesn't need to entered when they register, just leave it NULL or whatever you like. Once they login the token will be set on their computer and in your database so they will match up. You may also want to make another field with the time the token was created so you can get it to expire after a certain amount of time.

is it okay to ask to you this,where did you learn this in making the log-in and log-out.

From google really, i just google things i want to do and find ways to do them.

I remember i got some simple login example which used a token with a cookie like 3/4 years ago now - was a lot of headaches trying to understand it and get something working.

Now i just understand php a lot better i just looked at your code and edited to give a client a token once hes logged in and quick include page to check the token matches and which user he is logged in as.

It depends on which browser you use:

I use chrome, on chrome you press ctrl + shift + I Then click on the resources tab, you can see the cookies you have set and can edit/delete them

Firefox, Safari & opera will definitely have a similar thing to edit cookies, maybe its an add on - im not sure about IE though.

str_replace, looks for a character/string within another string and replaces it:

$newstring = str_replace($search_for_this,$replace_it_with_this,$within_this_string);

The reason i did it with that is you are putting the variables into a mysql query, so you want to take out any quotes so a user can't get your query to run something you don't want it to. You should probably take out back slashes too:

<?php 
if(ISSET($_POST['login'])){
$txtusername = $_POST['txtusername'];
$txtusername = str_replace("'",'',$txtusername);
$txtusername = str_replace('"','',$txtusername);
$txtusername = str_replace('\\','/',$txtusername);
$txtpassword = $_POST['txtpassword'];
$txtpassword = str_replace("'",'',$txtpassword);
$txtpassword = str_replace('"','',$txtpassword);
$txtpassword = str_replace('\\','/',$txtpassword);
$sql = "SELECT `user_id` FROM cookie_tbl where name = '$txtusername' and
           password = '$txtpassword'";

I usually just replace them with forward slashes since theres no trouble with them.

Heres your query:
SELECT user_id FROM cookie_tbl where name = '$txtusername' and password = '$txtpassword'

Now imagine $txtpassword was set to "`123' OR 1"

1 will return everything in the table! making him login as the first user in the table, likely to be an admin. If you replace double and single quotes it will prevent any user from doing something like that with the logon, especially watch out for queries that use the update, drop or delete commands.