Considerations for using JWT tokens- Part 2Sanatan Waghulkar
To cater to this challenge create a blacklist or whitelist the tokens – a stateful JWT token can be implemented. But that again introduces server-side storage. This is nearing the implementation of the Session itself with added payloads as the size of JTW tokens is usually larger than the session Ids.
JWTs being more sophisticated, the attack vectors that can be thought of for JWT have more options compared to Sessions. This is debatable as sessions also can be abused in different ways. But being established for decades, implementing protection against session abuse like SQL injection can be safeguarded. Another advantage that sessions offer is inbuilt support in various platforms to implement session management. Implementing JWT needs more attention to implementation compared to session management.
JWTs are usually best suited for authentication, whereas to use them for authorization JWT in combination with protocols like OAuth needs to be considered.
While making the decision to use JWTs in your application landscape, definitely weigh out the pros and cons of session Vs JWT. It’s an important decision – to be taken wisely.