Using JWTs for sessions is not a good idea unless you're on a microservice architecture and are communicating with multiple APIs with the same token. Otherwise, plain old sessions would be a lot better.
For more information and arguments, check out this post.
Sure, using JWT has its cons, like how to handle JWT steal, the system has to have a sort of 'black-list' feature to revoke those access, that implies keep track of generated JWTs and create a list in Redis or Memcache. Or using a unique secret to sign the JWT for every user, and change it.
In a future article of this series, I'll talk about using sessions and it's advantages.
Thanks for reading!
Exactly. The problem is that JWT's are awesome because they're stateless, but if you're using it as a session and you have to handle all those security vulnerabilities - it starts to be stateful and loses its main benefit.
Anyways, awesome article! :)
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.