This answer may help you in terms of replay attacks at the network level. The use of a "nonce" can also help protect against the same semantic request being made multiple times by the same client.

In terms of a Man In The Middle (MITM) intercepting a hash and replaying it in place of a password, it is true that this is possible, but equally this is possible when state is stored on the server and a plain session token cookie is being exchanged, but should be made more difficult in both cases by using HTTPS with strong configuration (strong ciphers, EDHC, modern protocols, HSTS with preloading, possibly HPKP. You may use https://www.ssllabs.com/ssltest/ to test your configuration.

Using secure http only cookies can also help protect against accidental state disclosure as might a CSP to prevent unauthorised scripts trying to perform exfiltration.

Processes, like that used in JWT, might help protect you against the concern of a malicious client opening up their local storage of cookies and modifying them (e.g. someone trying to change their local state that would be sent to the server). By utilising public key infrastructure (PKI), providing the private key is kept safe, this technique is effective in validating a digital signature (ensuring client state wasn't changed when reading it on the server). This is as you point out in your question part 3, the server doesn't need to necessarily map the client token to validate it, it "just" needs to validate the HMAC to ensure message integrity before trusting the data).

On a more broad level, being strictly restful in maintaining client state on the client, whilst brining many benefits in terms of scalability does bring some challenges, like those you mention here, and in many cases you can achieve acceptable scalability with server side managed state replication and partitioning to isolate faults to a smaller subsection of your user. E.g. think about Redis and managed hosting like AWS Elasticache which might make your life easier. When state is managed exclusively on the client it can become harder to do things like revocation and premature expiration.

I hope that this helps in some way,

This answer may help you in terms of replay attacks at the network level. The use of a "nonce" can also help protect against the same semantic request being made multiple times by the same client.

In terms of a Man In The Middle (MITM) intercepting a hash and replaying it in place of a password, it is true that this is possible, but equally this is possible when state is stored on the server and a plain session token cookie is being exchanged, but should be made more difficult in both cases by using HTTPS with strong configuration (strong ciphers, EDHC, modern protocols, HSTS with preloading, possibly HPKP. You may use https://www.ssllabs.com/ssltest/ to test your configuration.

Using secure http only cookies can also help protect against accidental state disclosure as might a CSP to prevent unauthorised scripts trying to perform exfiltration.

Processes, like that used in JWT, might help protect you against the concern of a malicious client opening up their local storage or cookies and modifying them (e.g. someone trying to change their local state that would be sent to the server). By utilising public key infrastructure (PKI), providing the private key is kept safe, this technique is effective in validating a digital signature (ensuring client state wasn't changed when reading it on the server). This is as you point out in your question part 3, the server doesn't need to necessarily map the client token to validate it, it "just" needs to validate the HMAC to ensure message integrity before trusting the data).

On a more broad level, being strictly restful in maintaining client state on the client, whilst brining many benefits in terms of scalability does bring some challenges, like those you mention here, and in many cases you can achieve acceptable scalability with server side managed state replication and partitioning to isolate faults to a smaller subsection of your user. E.g. think about Redis and managed hosting like AWS Elasticache which might make your life easier. When state is managed exclusively on the client it can become harder to do things like revocation and premature expiration.

I hope that this helps in some way,

This answer may help you in terms of replay attacks at the network level. The use of a "nonce" can also help protect against the same semantic request being made multiple times by the same client.

In terms of a Man In The Middle (MITM) intercepting a hash and replaying it in place of a password, it is true that this is possible, but equally this is possible when state is stored on the server and a plain session token cookie is being exchanged, but should be made more difficult in both cases by using HTTPS with strong configuration (strong ciphers, EDHC, modern protocols, HSTS with preloading, possibly HPKP. You may use https://www.ssllabs.com/ssltest/ to test your configuration.

Using secure http only cookies can also help protect against accidental state disclosure as might a CSP to prevent unauthorised scripts trying to perform exfiltration.

Processes like that used in JWT might help protected you against the concern of a malicious client opening up their local storage of cookies and modifying them (e.g. someone trying to change their local state that would be sent to the server). By utilising public key infrastructure (PKI), providing the private key is kept safe, this technique is effective in validating a digital signature (ensuring client state wasn't changed when reading it on the server). This is as you point out in your question part 3, the server doesn't need to necessarily map the client token to validate it, it "just" needs to validate the HMAC to ensure message integrity before trusting the data).

On a more broad level, being strictly restful in maintaining client state on the client, whilst brining many benefits in terms of scalability does bring some challenges, like those you mention here, and in many cases you can achieve acceptable scalability with server side managed state replication and partitioning to isolate faults to a smaller subsection of your user. E.g. think about Redis and managed hosting like AWS Elasticache which might make your life easier. When state is managed exclusively on the client it can become harder to do things like revocation and premature expiration.

I hope that this helps in some way,

This answer may help you in terms of replay attacks at the network level. The use of a "nonce" can also help protect against the same semantic request being made multiple times by the same client.

In terms of a Man In The Middle (MITM) intercepting a hash and replaying it in place of a password, it is true that this is possible, but equally this is possible when state is stored on the server and a plain session token cookie is being exchanged, but should be made more difficult in both cases by using HTTPS with strong configuration (strong ciphers, EDHC, modern protocols, HSTS with preloading, possibly HPKP. You may use https://www.ssllabs.com/ssltest/ to test your configuration.

Using secure http only cookies can also help protect against accidental state disclosure as might a CSP to prevent unauthorised scripts trying to perform exfiltration.

Processes, like that used in JWT, might help protect you against the concern of a malicious client opening up their local storage of cookies and modifying them (e.g. someone trying to change their local state that would be sent to the server). By utilising public key infrastructure (PKI), providing the private key is kept safe, this technique is effective in validating a digital signature (ensuring client state wasn't changed when reading it on the server). This is as you point out in your question part 3, the server doesn't need to necessarily map the client token to validate it, it "just" needs to validate the HMAC to ensure message integrity before trusting the data).

On a more broad level, being strictly restful in maintaining client state on the client, whilst brining many benefits in terms of scalability does bring some challenges, like those you mention here, and in many cases you can achieve acceptable scalability with server side managed state replication and partitioning to isolate faults to a smaller subsection of your user. E.g. think about Redis and managed hosting like AWS Elasticache which might make your life easier. When state is managed exclusively on the client it can become harder to do things like revocation and premature expiration.

I hope that this helps in some way,