Applications need to maintain logged-in “sessions” for all users that use their app. Once a user logs in, they can continue to access parts of the application without having to log in (i.e., authenticate) again and again for each subsequent request made to the server. There are two main ways to do this: one is JSON Web Tokens (JWTs), and the other is session tokens. Both have pros and cons. Now, there’s a hybrid approach that takes advantage of the best of both.
JWTs and Session Tokens: Pros and Cons
With JWTs, the user data is stored client-side within the token itself. This makes JWTs a popular session management solution among developers looking to reduce their server load and improve latency. One downside is that session cancellation can be more difficult because the validation happens client-side rather than server-side. Due to the client-side validation, this can cause greater security concerns because you can’t easily revoke the underlying session if there’s a threat.