kim gysen
I don’t particularly understand how these things are a problem:
1) This is speculative. If the jwt is signed and TSL is used, you should be as good as the web can get. Moreover, cookies are also sent over the network. If you have XSS vulenerability, either session or jwt can suffer the same fate, you’re at the mercy of the intelligence / creativity of the attacker either way.
2) I don’t understand why you can’t create a server blacklist. ‘Then it’s stateful again’. I’m quite sure that black lists of blocked users should be a lot smaller than querying users from a user table. It seems very unlikely that you will ever need to scale those. What if the service goes down? Like any other system, you need load balancing or other ‘high availability’ mechanisms if you really think you need them. Makes you wonder about the same argument: how many websites are there that really need black lists, or instanteneous removal of users that can’t wait until expiry?
Then why use jwt? Because developers don’t like to worry about scalability, even though the truth may be that your website may never need to. But if jwt offers peace the benefit of peace of mind without downsides that sessions have, then why use sessions? Because they’re a bit smaller?