Are JWT still not recommended for sessions?


It seems there is a large divide as to wether or not you should have JWT or Session ID for managing user session on WebApp/API (for a web front end or/and a mobile app).

It seems that the consensus goes to not using JWT (1,2,3,4) and keep on using cookies but i’ve seen more and more tutorials and people using JWT by default.

Even OSWAP now use JWT as session token instead of cookies (it is stored in the authorisation header/cookies and not in local storage obviously… but that not a hard task).

I’m trying to look at it neutrally and they seem to fit my usage:

  • session id also have an expiration date that can be long or short so i fail to see how it is an argument.
  • session id are persisted in the backend so having a blacklist for JWT doesn’t seem to be a “worst” solution
  • implementation are of the same level off complexity.

While with JWT i can:

  • store data inside the cookie is a nice feature to have (for roles for example)
  • fail my queries early if the token is in the blacklist/ if the data stored in the token is not validated (ie: try to access a route where your role, stored in the jwt, shouldn’t have access)
  • can be stateless on some routes, if needed / possible / less security required (no blacklist).
  • can be used as one time tokens for download

Is it still not recommended to use them as session? are there security issues i’m not aware of? Both could work for my use case but jwt would allow me to do more and currently i’m leaning towards using session “just because” of the consensus.