Your login flow is vulnerable to session fixation. This can allow an attacker to steal a valid user session from a victim.
As the attacker go to https://wallet.sandbox.romit.io (but do not login!) and check the cookies
SANDBOX-XSRF-TOKEN, that are set. For example:
2. Now simulate the victim by opening a second browser and setting those two cookies.
3. As the victim, login in the second browser.
4. As the attacker, go to https://wallet.sandbox.romit.io (using the first browser / same cookies as in step 1). You are now logged in to the victims account.
This can be exploited if there is another bug like HTTP Response Splitting on your website.
But a far easier way is to exploit this on shared computers. For example in a library, as an attacker open https://wallet.sandbox.romit.io (but do not login!) and keep note of the cookies as above in step 1. Then simply go away and now when a victim will use the same computer and try to login, the attacker will have access to the victims account.
If you assign a new session when someone logs in, this flaw should be fixed.