This tutorial has glaring, obvious security issues, namely:
- tokens should never be passed as cookies, use Authorization header instead;
- the ParseToken() implementation is not validating if the token is using a valid/secure encryption algorithm ('none' is a valid JWT algorithm);
- logging out is just deleting the cookie; As such the token is still valid until it expires. You need to maintain a revocation list for "logged-out" tokens, preferably by user;
- while the example uses a low TTL for the token (5 min), it offers no insight on how to perform token refresh;
- on actual "secure" implementations, one should also keep track of the source profile of the connection (eg. ip, browser, etc) to detect misuse of the token.
Long story short, for many applications, JWT is actually a terrible option - complex to implement properly, complex to scale, and still requires user resolution/lookup when additional info (like acls, contact info, etc) is required.