Ok, thanks Larry. I think I have sussed it and have attached the code so others can learn from it. Placed on every page that needs protecting and it appears to work very well
// If no session variable exists, or unauthorized user_level, redirect the user:
if (isset($_SESSION['user_id']))
{
// if a valid user session is found then the user level is checked, if the
// user has level 3 access they will be granted access if not a access denied
//message be displayed and the user will be redirected.
if ($_SESSION['user_level'] == 3) {}
else
{
header("Refresh: 3; url=index.php");
echo '<h3>Access deined - you do not have access to this page</h3>';
echo 'You will be redirected in 3 seconds';
include ('includes/footer.html');
exit(); // Quit the script.
}
}
// if no valid session is found then the user is not logged in and will
// receive a access denied message and will be redirected to the login page.
else if (!isset($_SESSION['user_id'])) {
header("Refresh: 3; url=login.php");
echo '<h3>Access deined - you do not have access to this page</h3>';
echo '<p>You will be redirected in 3 seconds</p>';
include ('includes/footer.html');
exit(); // Quit the script.
}