Stop Using JWTs
Points and comments are a snapshot, not live.
JWT tokens should not be used for browser user sessions; use regular cookie sessions instead.
The gist argues JWTs are misused for session management, citing they are designed only for very short-lived tokens (~5 minutes) and cannot provide secure stateless authentication. It recommends regular cookie sessions as a better tool, noting JWTs require revocation lists anyway and are inefficient. The author criticizes the JWT specification itself as insecure, mentioning early vulnerabilities like the 'none' algorithm. They propose PASETO as a secure alternative for short-term signed tokens. Rebuttals address common arguments: Google uses JWTs only for SSO transport, not sessions, and 'stateless is a lie' since apps with users have state.
What commenters are saying
Many commenters agree JWTs are wrong for browser sessions but defend them for service-to-service communication. One camp argues JWT libraries have improved from poor defaults, citing CVEs like CVE-2022-23540 as historical issues. Another notes you can't invalidate JWTs without a revocation list, defeating their purpose. A commenter suggests PASETO avoids algorithm confusion by design. A correction: the FIFA hack wasn't about JWTs but client-side auth. A key point: revocation lists can be smaller than full session databases, but size concerns are minimal for most apps.