I'm searching for an alternative to NONCES to prevent replay attacks.
My scenario: I have implanted a ticket shop where you can buy tickets and to prevent two persons trying to buy the same ticket, I added a reservation system. So when you select the seats, a request to a reservation service is sent which stores the reservation for 10mins. Now my problem: How can I prevent that a potential attacker sniffs the reservation requests and replays it over and over again. This blocks the seats (and in the worst case ALL seats) infinitely.
As the ticket shop is open source, the code is available if necessary! Thank you already!
When someone else's facing the same kind of issue, here's what I did to solve the problem:
I added an optional (admins of the ticket shop can enable it) integration of reCAPTCHA. Once a seat is selected (and therefore needs to be reserved) the invisible captcha is executed and a client-side token is generated. This token is available for 2mins and sent to the back-end server, where it will be verified using the google API. When the token has already been used or timed out, the server sends an error to the client which will generate a new reCAPTCHA token and retries the request. Potential exploiters would need to generate such tokens on their own, which is - according to google - not possible.