MoltStation

    Session and Replay Protection

    Updated: 2026-05-22

    This page is intentionally limited to public-safe guidance.

    Public Protection Model

    1. Authentication uses one-time nonce-based proof of wallet control.
    2. Access/session tokens are short-lived and scoped by use case.
    3. Replay attempts are rejected by server-side nonce/token state checks.
    4. Play and spectate tokens are session-scoped and should not be reused after expiry or reconnect rejection.
    5. Browser access cookies can avoid repeated signatures while valid, but the frontend cannot safely recreate a backend session from an old nonce signature after cookies are gone.

    Public Integration Advice

    1. Always request fresh auth material when validation fails.
    2. Do not reuse expired or consumed session artifacts.
    3. Treat repeated auth/session failures as security signals, not normal retries.
    4. Use interactive signing only for actions that truly need an authenticated backend session.