I am currently creating an RPC server using gRPC and want a secure way to handle session tokens. I am currently using stateful session handling, where the user logs on and the server replies with an session token, which the client sends in every RPC request. The server then uses this token to verify that the client is authenticated, and that the calling user has sufficient permissions. All communication happens over TLS, all standard stuff.
I’m concerned about the possibility that if an attacker got a hold of a valid session token, they could then use the token to pose as the user who originally had that token. I’ve been wondering if there’s a standard or well known algorithm that would allow clients to generate new stateful session tokens before every request that would only be valid for one use.
I’m thinking this could work similarly to how TLS negotiates a session key from the client random, server random, and premaster secret. Both the client and the server could decide on a shared “seed” that will allow them both to produce peudorandom session tokens in a deterministic order, and an attacker who gets ahold of a session token will only be able to use it if the client hasn’t already. The server would verify the client’s session tokens by generating the next session token from the shared “seed”, and verifying that it matched the sent session token.
The benefit of this would be that session tokens would only be valid for one request, but this system would fail if an attacker somehow got ahold of the shared “seed”. Still, because the “seed” would never be sent over the wire, this could provide some extra security. Does something like this exist, and if not is this a solid idea worth implementing? I do not want to roll my own crypto, hence why I am primarily seeking some standard way of doing this. But if nothing like this exists, I want to know if this is a flawed idea or not.