[blattimwind]

So you've minted a token, stored that in the DB as well, and every time you see that token you verify the signature and then you look the token up in your DB to see if it's still valid. You do realize that at that point you could've just handed out a random string instead and avoid (1) creating and verifying signatures and (2) the size inflation created by those signatures, because you're not even getting any of the theoretical advantages of minting tokens.

[ad_hominem]

If you're just handing out the random string without signing it (or performing some other constant-time comparison when validating), you're vulnerable to timing attacks

[_sdegutis]

It is a random string, I just created it with uuid(). Nothing was ever verified. Is minting tokens an official term that has to do with JWT? I thought it was just short-hand for the process I just described.

[blattimwind]

Minting tokens specifically refers to JWT-like constructions AKA "[probably-RSA-]signed cookies".

Generating a sufficiently (16-32 bytes) long string of randomness and using just that as a session ID stored in a database is a perfectly fine technique, scales well enough and is quite hard to get wrong.