I am developing a SPA application (Single Page App) in angular 4 (its backup is done in ASP Web Api but that is not relevant). I need to create an authentication mechanism with the server to make sure the user is valid without using sessions ( HttpContext.Session in mvc, $ _SESSION in PHP).
So far I have tried the following:
Cookies
Try using cookies but the browsers where the app will be used have cookies turned off so it is discarded as well.
Send username and password in each request
I thought about saving the user and password in a private object and in each request send the authentication. Now, this results in the information being exposed in each request, something that the security department does not accept.
Token
Apparently it is the best option since it hides the user's information, but the same situation mentioned above can also occur. By simply copying the token from a valid request, an attacker could add that token to your request and access the system.
What options exist to create an ASP without using sessions on the server and avoid the aforementioned?