When an HTTPS conversation is initiated, a random number is generated to create a key for the exchange (or something like that). What I don't understand is how this prevents replay attacks.
Why can't an attacker just repeat all the requests that the real client made?
This answer claims it isn't possible, while this answer claims the opposite. I can't see how an attack wouldn't be possible, unless there were nonces involved.
The answer is here, courtesy of @Emirikol: https://softwareengineering.stackexchange.com/a/194668/245162
HTTPS can be enough to secure the server from replay attacks (the same message being sent twice) if the server is configured to only allow the TLS protocol as per RFC 2246 section F.2.
This is done through the use of Message Authentication Codes (MAC).
Also see: https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake_in_detail