5.1.4 Replay Attack

[WSFederation1.2] section 16 specifies that security tokens can be replayed. SSL/TLS is the primary defense against replay, but implementers are to also understand that appropriate settings for the validity period of the token help to constrain the time that a security token can be replayed.<90>