I have been reading about this a lot and fail to understand the difference between session/sessionless implementation. Basically, I see 2 differences in both cases (Stateful vs Stateless using JWT)
- Stateless sessions cannot be invalidated.
- Stateless sessions can be huge.
- Implementation can be tough.
Regarding 1:
a) Stolen session vs Stolen session ID- I think it depends on how they got stolen. If there is a man in the middle then he can block the logout call and use the session too. On the other hand, if we keep JWT expiry small like 2 mins the attacker will only have a 2 min window to attack.
b) Cookie is compromised- Session ID is compromised. A part of JWT is compromised if kept in cookies.
c) Javascript Reading local storage: Session-Id is safe but JWT is compromised. Again splitting JWT will help.
d) Invalidating session on suspicious activity- How do you learn about suspicious activities? I believe since JWT claims are flexible and signed you can get the same information for validation as a session to match against the request. On any suspicion keep blocking the request. Although in the case of the session we can invalidate the session in the first incident which we cannot do in stateless implementation. Again If you have multiple servers storing sessions the replication of revoked status of the session may take time which could be similar to the JWT expiration time.
Regarding 2:
I won’t consider it a disadvantage as such. Horizontal scaling does bring instances of service closer to your geographical location. Also, HTTP2 and HTTP3 do have compression allowed. In the end, the industry is compromising on latency for horizontal scalability.
Regarding 3:
Implementation of sessions is also not easy. Highly sensitive session management can be prone to attacks that will cause frequent session invalidation. In some implementations, it can be a single point of failure. In some implementation databases used to store sessions can bring in some vulnerable components.
If one is already compromising on latency for horizontal scaling I do not practically see any problem with JWT apart from not being able to invalidate which is not a problem of JWT itself but of any stateless implementation. Provided best practices are followed as mentioned in RFC 8725: JSON Web Token Best Current Practices
Note: RFC 7009: OAuth 2.0 Token Revocation also talks about token revocation for OAUTH 2.0 but, it doesn’t look like a true stateless implementation.