Hacker News
Stop Using JWTs gist revives the session-versus-token debate
- Category: Pulse
- Status: discussion
- Sources: gist, discussion
- Summary: A widely shared gist argues against using JSON Web Tokens for sessions, favoring opaque server-side session identifiers for revocation and simplicity. The thread rehearsed the standard tradeoffs: stateless scaling and cross-service verification for JWTs versus immediate revocation and smaller attack surface for server sessions.
- Comments: HN commenters largely agreed that JWTs are misused for sessions but defended them for short-lived, service-to-service authorization where revocation matters less.