[san_at_weblegit]

Tangential answer: It would vary based on sensitivity of your application. JWT is not a bad option if we do not have a requirement of absolute session termination and if implementation does not have any vulnerability. People also use cookie shared on the root domain(backend and front end can be served by different sub domain. Also you can use custom headers since cookie is just another type of header managed by browser itself. The additional work would be around managing the additional header on back end. People generally open doors for CSRF attack by separating front end and backend like this. Good thing is that there are simple solutions to mitigate that risk too.