Broken Session Management

Web Server only identified the user by its ID from unencrypted cookies. Attacker could easily change ID value and logged in as other user.

*Fraud on all code

Fast Solution: Modify token to become encrypted token with ID inside. Make a single point web as a router and block any other direct access. Do session check on the router by looking at the token with valid ID data.