[wwalser]

Cookies have several security features built in and if all you're storing is a session identifier they are generally better than a JWT from a size perspective.

This does a better job that I'm going to try for in a HN comment: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-fo...