[gregopet]

For a simple website JWTs are almost definitely an overkill (you would get all the drawbacks for none of the benefits). A session based authentication with some libs from your ecosystem for the crypto parts and a nice intro on how to combine them together could be the perfect thing for you.

[rat9988]

I have always found jwt easier to deal with than session based authentication.

[mhitza]

Nice thing of using sessions is that you mark cookies as HttpOnly and you avoid them ever being leakable by crosssite scripting. And you get them transparently in your JS -> backend calls.

Of course downside is that once you move to multiserver you have to think of setting up sticky loadbalancing or distributed sessions.