But this attack shows crackers just intercepting an replaying the creds. Discouraging that might involve IP or other checks. Defeating it might involve total encryption.
Anything that you send in the clear to assert your identity can be replayed. IPs etc are easy to spoof so are not an adequate counter. You can include a timestamp in the hashed information so that the hashed info cannot be reused more than a certain amount of time after it is generated, but you have to allow for transmission delay and the server's clocks being out of sync, so if an attacker is quick enough they can replay your tokens even if you have made them time sensitive.
Using a request counter + timestamp or a one time password in the token would be much more preferable, but is more expensive to assert with each request, and is still suseptible to interception and spoof attacks, if not replay attacks.
There's really very little that is a valid substitution for encrypting all traffic here, IMO. The rampant use of unencrypted transmission of tokens on these sites today rely on the fact that it is harder to stage a man in the middle attack once requests leave your local network. But as tools for use on public wi-fi networks become easier to use and more prevalent this is only going to become a larger and larger problem.
"If you want to know what happens to you when you die, go look at some dead stuff." -- Dave Enyeart