If you are using node-jsonwebtoken, pyjwt, namshi/jose, php-jwt or jsjwt with asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512) please update to the latest version. See jwt.io for more information on the vulnerable libraries. (Updated 2015-04-20)
This is a guest post from Tim McLean, who is a member of the Auth0 Security Researcher Hall of Fame. Tim normally blogs at www.timmclean.net.
auth0.com/blog/2015/03/31/critical-vulnerabilitie…
For implementations, see jwt.io
I would personally stay away from JWT except for pet projects, HTTP-only + Secure cookies have been around for a long time, have been tried and tested, had their vulnerabilities fixed whereas JWT might still have plenty of flaws in it to be discovered.