Redirecting user to dashboard with their user role from same login page

Question

I have directed user according to the user's role in the dashboard from the same login page.

But with this the user can go to user dashboard just by simple providing the admins url.

How can I prevent a user from getting in the admin dashboard after login?

The login code is as follow.

if(isset($_POST['login'])){
    $username = $_POST['username'];
    $password = $_POST['password'];

    //if the user try to enter without typing anything.
    if($username !="" && $password !==""){
        /*$password = sha1($password);*/
        $sql = "SELECT * FROM users WHERE username ='$username'AND password='$password'";

        $result=mysqli_query($conn, $sql) or die('Error');
        if(mysqli_num_rows($result) > 0){

            while($row = mysqli_fetch_assoc($result)){
                $user_id = $row['user_id'];
                $fullname = $row['fullname'];
                $username = $row['username'];
                $phone_number = $row['phone_number'];
                $state = $row['state'];
                $city = $row['city'];
                $street = $row['street'];
                $email = $row['email'];
                $user_role = $row['user_role'];


                //Starting the session for the user
                $_SESSION['user_id'] = $user_id;
                $_SESSION['fullname'] = $fullname;
                $_SESSION['username'] = $username;
                $_SESSION['phone_number'] = $phone_number;
                $_SESSION['state'] = $state;                
                $_SESSION['city'] = $city;
                $_SESSION['street'] = $street;
                $_SESSION['email'] = $email;
                $_SESSION['user_role'] = $user_role;
                if($user_role == admin){
                    header('Location:admin/admindashboard.php');
                }else{
                    header('Location:user/userdashboard.php');
                }
            }
        }else{
            $error="Username or Password is incorrect!!";
        }
    }else{
        $error = "Please Enter Username and Password";
    }
}

Answer 1

You need to make sure that certain conditions match for each user so that they do not navigate by typing into URL.

From your coding assuming that you have already redirected the users to the relevant page. Make sure you have validation checks in following files.

Add this to the header of admindashboard.php

if( $_SESSION['user_role'] != "admin")
{
    session_destroy();
    header("location: login.php");
}

Add this to the header of userdashboard.php

 if( $_SESSION['user_role'] != "user")
    {
        session_destroy();
        header("location: login.php");
    }

With the above codes, you will block other different types of users accessing different parts of the website.

Answer 2

How can I prevent a user from getting in the admin dashboard after login?

By performing the same check on that page (on admindashboard.php ). Whatever $user_role and admin are, you would examine the same logic on any page which requires that permission. If the check fails, redirect (possibly to the login page, prompting the user to login with an account which can access that page).

For example:

if($_SESSION['user_role'] != admin) {
    header('Location:login.php');
}

You can't prevent a user from requesting any page. You can respond to that request accordingly.