We have a classic web application, and when a user sign in, we return a session token (UUIDv4). The user can choose if the session should expire when the browser/app is closed or if he prefer to always be connected (1 year at least).
If an attacker get the session token, I want a way to mitigate the possibility to uses it.
A solution could be to also add a One Time Password in each API client call. On the server side, if the session token is correct we also need to check that the OTP is good.
We uses micro-services in FaaS/workers where the CPU time is limited, it's why we also search the fastest method to verify an OTP.
Which kind of OTP could I use please?
I suppose HOTP isn't good because of the nature of TCP/IP where some requests couldn't be correctly acknowledged and de-sync the counters from the client / server.
I suppose TOTP isn't good too because the client time is not necessarily in sync with the server (or, we also need to send the current client time, but I'm afraid this creates a bias in the protection )
[EDIT]
May be my question wasn't precise enough, so I've posted my idea of a One-Time-Password based on HMAC + SHA1 + timestamp: https://security.stackexchange.com/questions/268882/protection-against-user-session-attacks-hijack-replay-tampering-csrf-xss
If you have a better suggestion (faster OTP verification / better session protection), I invite you to share it.
