I wouldn't say you are wrong. You send a piece of information to the server -cookie- that authenifies you on that server. The cookie gets verified for authenticity and carries the Id of a user, whose context is then pulled from a session store. You can implement exactly the same with jwt. You send the jwt carrying the user id to the server, server verifies the authenticity, you pull the context of the session from a server side store. You can use JWT to implement stateful apis too.
But jwt gives you so much more. It can carry permissions. You need not pull the permissions on server side, as you have them encoded in the token. What use would this have? Temporary permissions. You can generate a valid token that allows a person to do something they are not allowed to. Say, want to give write acess to an article you want him to author.
And frankly i don't understand what extra overhead there is. You still need to generate and deliver a cookie and then send to the server with each request and then authenticate it server side. You only write different code, not less complicated code. There's support for cookies aut of the box, sure, but is the loss of flexibility jwt offer worth the saved 10 lines of code?
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I wouldn't say you are wrong. You send a piece of information to the server -cookie- that authenifies you on that server. The cookie gets verified for authenticity and carries the Id of a user, whose context is then pulled from a session store. You can implement exactly the same with jwt. You send the jwt carrying the user id to the server, server verifies the authenticity, you pull the context of the session from a server side store. You can use JWT to implement stateful apis too.
But jwt gives you so much more. It can carry permissions. You need not pull the permissions on server side, as you have them encoded in the token. What use would this have? Temporary permissions. You can generate a valid token that allows a person to do something they are not allowed to. Say, want to give write acess to an article you want him to author.
And frankly i don't understand what extra overhead there is. You still need to generate and deliver a cookie and then send to the server with each request and then authenticate it server side. You only write different code, not less complicated code. There's support for cookies aut of the box, sure, but is the loss of flexibility jwt offer worth the saved 10 lines of code?