JWT (JSON Web Token) seems like the new standard for authentication. JWTs have lots of benefits, but are riskier when compared to HTTP sessions. What's your opinion about JWTs? Would you use them in your application?
As with most things, this depends on your use case. In API's JWT is the probably a better choice. In a front end server side application sessions are probably the right path. That being said, there are use cases where you need to use JWT instead of sessions and visa versa. There is no one way with this.
Thanks for the answer! In my particular use case we want to log users in. JWT seems like a bad choice for this, because it seems insecure as tokens cannot be invalidated. If somebody could steal a user's token, it'd be able to perform unauthorised actions. So I guess the real question is: Are JWTs really that bad for authenticating users in a website? Would you rather user JWTs or HTTP sessions?
What would be your choice?
From what you have said I assume you are building server side application, if not, that would basically invalidate this response. With that assumption intact, sessions are definitely the way forward. They are easier to deal with and reduce the logic needed. I would always go for the simpler option.
Just to be clear, JWTs are not insecure. Uses of JWT's are insecure. There are implementations of OAuth2 that use JWTs, can invalidate the token, and are secure.
Nicholas Wiersma
Software developer, general human being.
As with most things, this depends on your use case. In API's JWT is the probably a better choice. In a front end server side application sessions are probably the right path. That being said, there are use cases where you need to use JWT instead of sessions and visa versa. There is no one way with this.