This is the finding the needle in a stack of needles approach to password protection.
On wordpress, even if you log out from the site, you can still re-use the cookies and are automatically logged back in.
Both http and mixed http/https site with no issues. Once user is logged out, cookies don't work any more.
We have one of "those" architects at work too. I just ignore him, more than likely he has never really coded an application and is only talking out his ass. Love iBatis/MyBatis. Way better than stored procedures and hibernate stuff.
If your DBAs believe in hands off the database and your tables have a lot a churn, you are going to be in for some pain.
Do you want me to mansplain or do you want me to actually solve real problems? Your choice google.
When they see someone take their code and make a $M off of it the lesson will we learned.
Beware of the Turing Tar-pit in which everything is possible but nothing of interest is easy.