There are no secrets. You can store session data. That can be used within the same channel as a key to state on the sever.
Two critical things.
-
Give the data very short lifetimes. Minutes. Less then the expected session length. Remove them and refresh them every few transactions. The right length of time and frequency are all “depends.” Explicitly remove them at log off, even though the time-to-live/expire will kill them eventually. You can’t trust someone to keep time correctly. Basically, presume they’re out to harm you.
-
Never use anything related to your servers or the users. Never create your own tokens either. Use a prebuilt PRNG. The java libraries have a secure random class. Use it for your keys. Don’t recreate the wheel. If possible, keep all of your keys in-memory on the server. Depending in your application, firewalling access to the keys in memory might be needed (unusual, but not too rare).