Why You Should Stop Using JWTs for Sessions

The author contends that JWTs are an insecure and inefficient choice for maintaining user sessions compared to traditional cookies. They argue that the 'stateless' benefits of JWTs are illusory because secure applications still require server-side state for token management. Ultimately, developers are urged to use proven session-based tools built into their frameworks instead of following the industry hype surrounding JWTs.
Key Points
- JWTs are designed for short-lived, one-time use cases rather than the long-term persistence required for user sessions.
- Truly stateless authentication is a myth because secure token revocation requires a server-side data store anyway.
- The JWT specification is considered untrustworthy and flawed by security experts due to inherent design risks.
- Traditional cookie-based sessions are more flexible, efficient, and better supported by existing web frameworks.
- The widespread use of JWTs for sessions is driven by hype and educational bootcamps rather than security best practices.
Sentiment
The overall sentiment is mixed but technically nuanced. The community generally agrees with the narrow recommendation to avoid JWTs as the default mechanism for browser user sessions, especially when developers are using them to chase statelessness. At the same time, many commenters are skeptical of the article's broad language, object to claims that JWTs are inherently insecure, and defend JWTs as appropriate for short-lived federated identity and service-to-service use cases.
In Agreement
- JWTs are a poor fit for ordinary browser sessions because secure logout, revocation, permission changes, and stolen-token handling require server-side state anyway.
- If each request must consult a revocation list or session authority, an opaque session cookie backed by a session store is usually simpler and more flexible.
- The JOSE and JWT ecosystem has enough historical footguns and configuration hazards that using it for routine session management adds unnecessary risk.
- Claims of statelessness often hide complexity in refresh flows, cache invalidation, key rotation, gateway enforcement, and revocation infrastructure.
- Session databases are rarely the scaling problem developers fear, while self-contained tokens can make security and operations harder to reason about.
Opposed
- The article overstates the case by treating JWTs as broadly bad rather than limiting the critique to browser session management.
- JWTs remain useful for OAuth, OIDC, service-to-service authentication, cloud identity, and systems where issuer and verifier do not share a database.
- Cookies and JWTs are different categories: cookies store or transport credentials, while JWTs are signed tokens, so the comparison can be misleading.
- Short-lived access tokens with refresh-token flows and targeted revocation can be secure and efficient when implemented carefully.
- Mature libraries and well-known standards may be preferable to custom token schemes, because their pitfalls are documented and widely scrutinized.