Can go to admin page if logged in as user

Question

I'm working on a site where i want to have 2 pages. I have the login page, a welcomeadmin.php and a welcomeuser.php

If i log in with admin, i get redirected to the admin page and if i log in as a user i get redirected to the user page which is good.

The problem is that when i log in as user and get redirected to the user page, i can also acces the welcomeadmin.php by changing it in my URL.

login.php:

session_start();

// Check if the user is already logged in, if yes then redirect him to 
welcome page
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){
if($_SESSION['functie'] == 'admin'){
    header("location: welcomeadmin.php");
}
else{
    header("location: welcomeuser.php");
}

exit;
}   

welcomeadmin.php

if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){\
header("location: login.php");
exit;
}    

welcomeuser

<?php
// Initialize the session
session_start();

// Check if the user is logged in, if not then redirect him to login page
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
header("location: login.php");
exit;
}
?>

Answer 1

In your welcomeadmin.php file you don't check if the user that is trying to access the page is indeed an admin. You can add the check like in your login.php file with a simple if statement after your check if the user is logged in. Just add this Code Snippet after your first If in the welcomeadmin.php file.

if (!isset($_SESSION["functie"]) || $_SESSION["functie"] != "admin") {
    header("location: welcomeuser.php");
    exit;
}