[kodablah]

Yup, this board is full of JWT hate mostly predicated on the fact that it can be done wrong. Just use a random token as a session ID. Wrap in cookie for browser users and use browser session cookie expiration. Wrap in JWT and sign an expiration date in there for API use...no other state needed, use token to look up actual valuable state on server side as necessary. Expire them server side too based on application re-login requirements to prevent reuse (or sign your cookies w/ an expiration date like you do with JWT...but I always keep session tokens and expire them on the server side too for various reasons including auditing purposes).

[akvadrako]

And what does that give you over just using a cookie?

[fny]

Sometimes you don't have cookies? Like with mobile apps. With JWT you can also have uniform auth across mobile and web apps, and when done right is a beautiful thing™.

Also cross domain/app data signing.

[tatersolid]

> Sometimes you don't have cookies? Like with mobile apps.

A cookie is just an HTTP header. Any mobile app that can speak HTTP can use cookies.