Hello guys
today when i checked my script I noticed my sessions are not protected,
when user log in his username stored in session variable lets call it $_SESSION['user'], and I use this session variable in many function
ex. when uploading a file the name of user taken from session var., when check this is a user or admin use the session var.

check_admin ($SESSION['user']);
function check_admin($var) {
//SQL search for $var in TABLE WHERE is admin = 1
// IF success go to admin panel
// else go to login page 
}

so I thought if someone create a session with the same name of mine $_SESSION['user'] and entered the admin control panel he will get acces I think, because I check the name of admin only,
how can I protect session so only the one with username and password can enter the script.