I have this login code that directs “civilians” to a certain page and “hosts” to a different page. Now the log-in part works. But if I log in as “civilian” and then change the URL to the host page (ciubab.com/host.php) I am able to access it, which is something I cannot allow.
So how do I block “civilians” from entering a page only for hosts?
I tried using a while loop in the host page to block civilians but that didn’t work. I tried reading about sessions and security but I haven’t found anything similar.
Can someone help me?
login code: I only published the relevant part.
<?php
if($username==$dbusername&&md5($password)==$dbpassword)
{
if($who=='host')
{
$_SESSION['username']=$username;
header("Location: http://ciubab.com/host.php");
}
if($who=='civilian')
{
$_SESSION['username']=$username;
header("Location: http://ciubab.com/civilian.php");
}
}
?>