We only use session['userid'] to validate at backend. This is well know vulnerability, well ,it'll get us mark deducted. If we have enough time we can think about how do we change it to a more safer way, if not, not too bad since at least logic is running correct.
Okay so I tested what if I moderate userid at cookie/session and try to stole identity, that's not working. So it's still relatively safe at status quo, hopefully.
We only use session['userid'] to validate at backend. This is well know vulnerability, well ,it'll get us mark deducted. If we have enough time we can think about how do we change it to a more safer way, if not, not too bad since at least logic is running correct.