Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Token Replay

Training Camp • Cybersecurity Glossary

What is Token Replay?

An attack that captures a valid authentication or session token and reuses it to impersonate a user—mitigated by short expiry, nonces, and token binding.

Glossary > Identity & Access Management > Token Replay

Token Replay — An attack that captures a valid authentication or session token and reuses it to impersonate a

Understanding Token Replay

Token replay is an attack in which an adversary captures a valid authentication or session token and reuses (replays) it to impersonate the legitimate user and gain unauthorized access. Because the token is genuine, the target system accepts it, so the attacker bypasses login without ever knowing the user's credentials.

The attack depends on obtaining a token and on the system accepting that token more than once or after it should be invalid. Tokens may be stolen via network interception of unencrypted traffic, cross-site scripting that reads them from the browser, malware, or insecure storage and logging. Once captured, the attacker presents the same session cookie, bearer token, or SAML/OAuth assertion to the server. Defenses center on limiting reuse: short token lifetimes, single-use nonces and timestamps, server-side session validation and revocation, transport encryption (TLS), and token binding that ties a token to a specific client or TLS channel so a stolen token fails elsewhere.

This matters because tokens are the currency of modern authentication and federated single sign-on; a replayed token grants the same access as a successful login. It defeats password protections entirely and can give attackers sustained access until the token expires or is revoked. Standards like OAuth 2.0 and OpenID Connect explicitly incorporate anti-replay measures such as nonces, short-lived access tokens, and refresh-token rotation for this reason.

For example, a user logs into a web application over an insecure public Wi-Fi network without proper TLS, and an attacker on the same network captures the session cookie. The attacker injects that cookie into their own browser and is immediately recognized as the authenticated user, viewing the victim's account and data. If the application had enforced HTTPS, short session lifetimes, and bound the session to the original client, the captured token would have been useless to the attacker.

Learn More About Token Replay:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →