Admin and user both can log in to their account. When a user login we check the user id and password and if correct then logged in.
But now if a user is logged in with his user id and password then he can access the admin area by using URL.
Because we are just checking the login authentication, that's it. So we need to stop a user to access the admin area by using URL.