I am building a product for my company on Odoo 8. I want to know how can i prevent my application from session hijacking. I have taken few steps for that :
Changing session Id after successful login and Logout.
Have used ssl also to encrypt data between client and sever.
But the security team of my company is not signing off my product since they said we can copy the cookie of logged in person and just past it into other browser and can easily access the account, But according to me that is possible if the machine is physically compromised. I don't know what should i do now.
Any help on this would be appreciable.