Implementing User Login, Logout, and Multi-Level Role-Based Access Control with PHP

When developing a website, user login and logout are common and essential features, and as the site expands, multi‑level role and permission management is often required to ensure different users have appropriate access rights. This article explains how to implement these functions using PHP, with code examples.

First, a database table is created to store user information. The table structure is as follows:

CREATE TABLE users (
id INT(11) AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(100) NOT NULL,
password VARCHAR(100) NOT NULL,
role VARCHAR(50) NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);

In this table, username stores the user name, password stores the hashed password, role stores the user’s role, and created_at records the creation time.

Next, the PHP code for login and logout functions is written. The login function is:

function login($username, $password) {
// Query user information from the database
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) == 1) {
$user = mysqli_fetch_assoc($result);
// Verify password
if (password_verify($password, $user['password'])) {
// Set user session state
$_SESSION['user_id'] = $user['id'];
$_SESSION['username'] = $user['username'];
$_SESSION['role'] = $user['role'];
return true;
}
}
return false;
}

The code first checks whether the username exists in the database; if it does, it verifies the password with password_verify . Upon successful verification, user information is stored in $_SESSION to achieve login.

The logout function is:

function logout() {
// Destroy session
session_unset();
session_destroy();
}

This code destroys the current $_SESSION by calling session_unset and session_destroy .

While the above code provides basic login and logout functionality, implementing multi‑level role and permission management requires additional interfaces.

First, a function to check user permissions is written:

function checkPermission($requiredRole) {
if (isset($_SESSION['role']) && $_SESSION['role'] == $requiredRole) {
return true;
} else {
return false;
}
}

This function checks whether the current user's role matches the required role, returning true if it does and false otherwise.

Then, the checkPermission function can be used to enforce appropriate access control:

if (checkPermission('admin')) {
// Execute admin operations
} elseif (checkPermission('user')) {
// Execute regular user operations
} else {
// No permission to operate
}

The code executes different operations based on the user's role: admin operations for administrators, regular operations for standard users, and a fallback for unauthorized users.

In summary, the provided PHP code examples demonstrate how to implement user login, logout, and multi‑level role and permission management, enabling flexible access control and enhancing website security during development.