JWT should not be your default for sessions

A few years later, we got JWT, and it's hot shit! JWT itself is a standard for encrypting/signing JSON objects and it's used a LOT for authentication. An important thing to point out is, in order to support logout, you'll likely still need a centralized storage mechanism, which is the very thing that JWT were supposed to 'solve'. A last issue with JWT is that they are relatively big, and when used in cookies it adds a lot of per-request overhead. All in all, that's a lot of drawbacks just to avoid a central session store. It's not my opinion that JWT are universally a bad idea or without benefits, but there is a lot to consider. One thing that's surprised me when reading tech blogs, is that there is a lot of chatter around JWT. Especially on Medium and subreddits like /r/node I see intros to JWT on an extremely regular basis. 1 article mentions that it might be better to use a standard session storage instead. 1 article uses both a standard session storage and JWT, making JWT unneeded. My point in all this is not to discourage the use of JWT in general, but be deliberate and careful when you do.