Login breach

I have this login code that directs “civilians” to a certain page and “hosts” to a different page. Now the log-in part works. But if I log in as “civilian” and then change the URL to the host page (ciubab.com/host.php) I am able to access it, which is something I cannot allow.

So how do I block “civilians” from entering a page only for hosts?

I tried using a while loop in the host page to block civilians but that didn’t work. I tried reading about sessions and security but I haven’t found anything similar.
Can someone help me?

login code: I only published the relevant part.

      header("Location: http://ciubab.com/host.php");
         header("Location: http://ciubab.com/civilian.php");

Ok, I solved it finally.
I just had to add $_SESSION[‘who’]=$who; to the login page,
and then I added another piece of code into my host and civilian page and it worked.
The code I added was:

if($_SESSION[‘who’] != ‘host’){
header(‘Location: ciubab.com/mustlogin.php’);]

Hopefully this can help other beginners.

Good to hear that you’ve solved it. Remember that you should check login/permissions on every relevant page. Otherwise users can bypass the login using bookmarks, by directly typing the url in the browser address bar, by emailing private links to another person, by extracting interesting urls from website log files and so on.