[silviogutierrez]

Sounds like JSON web tokens! Should have stuck to sessions if that's the case.

Admittedly, the performance benefits of jwt are probably warranted here. But still, you either end up building an in-memory blacklist or a DB table thus negating most benefits.

[tracker1]

I often tend to just use relatively short lived tokens (12 hrs mostly), which avoids a lot of issues in practice. It depends on the use case. Depending on their DB systems and caching infrastructure, the JTI in as a key in a revocation database would work. It's not always worth implementing though.

[echelon]

It's not that hard to build a highly available active-active session service given time and engineering headcount.

It's hard if you're trying to get out the door fast, though.

[silviogutierrez]

Yea I'm not saying it's impossible. But I'm saying it's probably easier to just make traditional cookies/sessions scale.

I went through my shiny jwt phase. I'm happily back in session land though.