I am creating a client-server application and I'd like to send data from server to client securely.
Using public/private key algorithms makes sense and in PHP we can use openssl_sign and openssl_verify functions to check that the data came by someone who has the private key.
Now imagine that one of the actions sent by server to client is destructive in nature. If somebody uses an HTTP sniffer to catch this command (which will be signed properly) how can I make sure that the command was executed only when our server sent it and not by a hacker simply reproducing the same command?
OK while writing this I figured out that using auto-increment id to number every sent message could be a simple solution to the problem. Client would just have to check that the incoming message ID is never smaller that the current ID they have stored.