I am currently studying stateless servers design. I learnt how to store HMAC-based token in HTTP cookies. The idea is that the server has a secret key and is the only entity able to generate valid tokens.
I also read this thread: How do stateless servers work?
There is an interesting example about Paypal-like website. If an attacker just copy the content of a token, he can do whatever he want with the account until the token being invalid.
I see several ways to avoid that issue:
- Store IP address or its hash in the token: possibly annoying for user?
- Store user-agent or its hash in the token: low added value
- Ask for re-authentication for security-based use cases (ex: password change)
- Add a one-time password layer
Is there additional weaknesses? How to protect against these weaknesses?
