I have a website, im using sessions for the login. In every pages of my admin, I have a checker if the user has logged in or not. I have this code

if(!$_SESSION['loggedin'] && !$_SESSION['userid'])
{
  header('Location:login.php');
}
else
{
 //proceed loading the page
}

Now what happen now, someone is messing up with our site. He/She is entering some vulgar texts on the website like … All disrespectful words and its so frustrating because the website is accessible to the public.
I believe the username and password was being hacked. So i asked all admin users to changed all passwords and i added a logger to monitor who will update the content of the website. I record the userid of the logged in user and its post. After changing passwords, the same thing happen again, content was updated by the hacker or whoever he is.

I checked my log, the user id of the hacker is 0. How is that possible and how do i stop him? Makes me wonder what did he do because it is in my condition at the very top of the page that if $_SESSION[‘userid’] has no value, it should redirect them to the login page.

Currently i put the website offline because the hacker is getting worst and worst. I was able to find out the ip address of it.

This is my user authentication

$user=trim($_POST['username']);
$pass=trim(stripslashes($_POST['password']));
$sql="SELECT * FROM users WHERE user='$user' AND pass='$pass'";
$qry=mysql_query($sql) or die (mysql_error());
if( mysql_num_rows($qry) )
{
  $row=mysql_fetch_assoc($qry);
  $_SESSION['userid'] =$row['userid'];
  $_SESSION['loggedin']=1;  
  header('Location: welcome.php');
}
else
{
      header('Location:login.php?error=1');
}