thought of doing this, but this means I will end up writing my own session logic anyway, right?
Exactly, which I would avoid.
Doesn't this apply exactly the same to server based sessions? If the session id or the cookie containing the session id was stolen, the attacker can very easily impersonate the victim just by adding it to his cookies.
Yes, exactly. So why not just use an existing implementation? JWT are not secure by default, you need to put them in a secure httponly cookie which is basically what you're going to accomplish by using sessions anyway.
Exactly, which I would avoid.
Yes, exactly. So why not just use an existing implementation? JWT are not secure by default, you need to put them in a secure httponly cookie which is basically what you're going to accomplish by using sessions anyway.
JWT is just a token, it's not magically secure.
For Node.js maybe Express Session will do?
A tutorial: medium.com/of-all-things-tech-prog...
ps. I'm not trying to say "never use JWT" it's just that I don't see the benefits in this particular case