[bigonlogn]

JWT is just a token. It's not some panacea of client-side only authentication. There are a lot of people lamenting the difficulty in performing logout via JWT. I believe people are missing the point. The failing isn't with JWT, it's with the implementation of the session system.

Typically with sessions the client has a session key. The key gets sent to the server where it looks up the session (via. memory, cache, database, whatever). You can create a new session, validate an existing session, or end a session. All using that key. They only difference between JWT and cookies is JWTs aren't automatically sent with every request. You have to explicitly send them. I believe this is a good thing. It avoids some common attack vectors.

[lllorddino]

Is there anything wrong with saving the token in the cookie? I'm not exactly sure how to save them in the header. I'm guessing save it to localStorage and use javascript to pass it back to the server?

[jastanton]

This article talked a bit about putting them in cookies:

  The header method is preferred for security reasons - cookies would be susceptible to CSRF (Cross Site Request Forgery) unless CSRF tokens were used.

  Secondly, the cookies can be sent back only to the same domain (or at most second level domain) they were issued from. If the authentication service resides on a different domain, cookies require much more wild creativeness.

As far as putting something in the header, if you're using javascript check out superagent. It's as easy as:

  request(url).set('SomeHeader', 'SomeValue');

or the latest http fetch api just do:

  var request = new Request('/users.json', {method: 'POST', 
    headers: new Headers({'Content-Type': 'text/plain'})
  });

  fetch(request).then(function() { /* handle response */ });

[bigonlogn]

You can also supply an options object (including headers) as the second argument[1].

[1]https://developer.mozilla.org/en-US/docs/Web/API/GlobalFetch...