|
|
|
|
|
|
by brown9-2
2190 days ago
|
|
|
These are orthogonal concepts. A session ID is just a token that the server uses to lookup some state about the request that presented the token. A JWT is a token that can be used to present a claim of who the requestor is (and the server can verify it). A session ID token doesn’t help my request prove I am who I say I am when I call your API for the first time, unless you’ve implemented some sort of state store that all of your API services and server share. |
|
|
Yes, it's called session storage, and it used to be incredibly common. These issues are not "orthogonal", because a primary promise of JWTs were the ability to get rid of that shared session storage and just put that identifying info into the signed token.