An attacker with local access to the machine could record the traffic,
which could allow them to resend requests without the server
authenticating that the user or session are valid.Read More