Paseto tokens don't really address any problem that is actually that important/relevant. JWT is good enough and when used properly have no security issues. Basically, sign them using a sane algorithm, distribute them over https and of course manage your private keys in a sane way.
Companies not capable of doing this properly have bigger issues that Paseto won't fix either. Such companies would do well to use products/frameworks based on standards implemented by people that do know what they are doing. And mostly those would rely on JWTs.
One of the most common high-impact issues is failing to expire sessions. In one case, the expiration date was set to be a whole year - once a user had a valid JWT, the system would accept it for a whole year, even if the user's account was deactivated on day 2.
> What about all the languages that can simply use libsodium directly
Nothing. It's great they do that.
I made a comment that refuted a snarky remark that had no basis, I did not compare languages nor post claims about language's awesomeness or anything else, just that it uses libsodium and that silly remarks centered around trashing PHP are based on lack of knowledge.
I agree the snark on PHP doesn't have much sense. I just don't think your reply is much better. This changes nothing - if anything, it shows that PHP needs to have libsodium integrated before it's available, which seems to be worse than other languages that can simply use it directly.
So, there's a library called libsodium that deals with cryptography and your comment, based on literal nothing, is that PHP is somehow "worse" than other languages, yet PHP and other languages use libsodium for cryptographical purposes. What does "worse" mean? Somehow, the bytes get corrupted mid-transfer? We're arguing languages here for no reason at all, yet you are not even aware of how PHP uses it (spoiler: it uses is like the other undefined languages do, since there's only 1 way to do it).
If you got any arguments to support your "which seems to be worse", I'm readily waiting to read it.
Out of curiosity - why do you try to instantly compare A to B without knowing how A or B work internally? What's the gain in this discussion other than you making a claim you can't support and me being a jackass that wastes his time trying to talk to you?
Companies not capable of doing this properly have bigger issues that Paseto won't fix either. Such companies would do well to use products/frameworks based on standards implemented by people that do know what they are doing. And mostly those would rely on JWTs.