Why JWT Is a Bad Choice for Session Management (And When It Works)

Background and Terminology

JSON Web Token ( JWT) is often promoted as a replacement for traditional session handling. For clarity, the article defines three related terms:

Stateless JWT : a token that encodes the entire session payload inside the JWT itself.

Stateful JWT : a token that only contains a reference or ID to a server‑side session store.

Session token (or Session cookie) : the classic signed session identifier used by most web frameworks, with the session data stored on the server.

Misleading Comparisons

Comparing Cookies directly with JWT is meaningless—cookies are a storage mechanism, while JWTs are signed tokens. The proper comparison is Session vs JWT, and separately Cookies vs Local Storage.

Commonly Claimed Advantages of JWTs

The article lists several benefits often touted by JWT advocates and then refutes each claim.

1. Easy Horizontal Scaling

Only true for truly stateless JWTs, which few projects need. Most applications can achieve scaling by using a shared Redis store for sessions, requiring no special handling.

2. Ease of Use

In practice, developers must implement their own session management logic for JWTs, whereas most frameworks provide out‑of‑the‑box session cookie support.

3. Greater Flexibility

There is no concrete evidence that JWTs are more flexible; standard session stores already allow arbitrary data to be stored.

4. Better Security

Signed cookies can be just as secure as JWTs. Using encryption does not automatically make a system safer; misuse can introduce new vulnerabilities. JWTs do not eliminate CSRF risks—CSRF tokens are still required.

5. Built‑in Expiration

Server‑side session stores also support expiration, often with finer‑grained control. Stateless JWTs cannot be revoked before expiration, which can be problematic.

6. No Need to Ask Users About Cookies

Legal regulations treat any persistent identifier (including JWTs) as a cookie‑like mechanism; user consent is still required for tracking purposes.

7. Prevent CSRF Attacks

Storing JWTs in cookies does not prevent CSRF; storing them in local storage avoids automatic transmission but introduces XSS risks. The correct mitigation is to use CSRF tokens regardless of storage.

8. Better for Mobile

All modern browsers and mobile HTTP clients support cookies, so there is no advantage here.

9. Works When Users Block Cookies

Users who block persistent storage typically block all mechanisms, including local storage; JWTs do not solve this problem.

Disadvantages of Using JWTs for Sessions

Space Overhead

Stateless JWTs can become large, exceeding typical cookie size limits and causing storage issues.

Security Risks

If JWTs are stored outside cookies (e.g., in local storage), they are vulnerable to XSS attacks. Revocation is impossible without server‑side state, making compromised tokens hard to invalidate.

Inability to Revoke Individually

Unlike server‑side sessions, a JWT remains valid until its expiration, even if the user changes their password or an attack is detected.

Stale Data

Because the payload is baked into the token, it can become outdated, leading to inconsistencies with the database.

Lack of Production‑Ready Libraries

Established session libraries (e.g., express-session – https://github.com/expressjs/session) have been battle‑tested for years, whereas many JWT implementations lack extensive real‑world validation.

Conclusion

Stateless JWTs cannot be individually revoked and may cause size and security problems. Stateful JWTs behave similarly to session cookies but lack the mature ecosystem and widespread production validation. For most applications, especially those not operating at massive scale, traditional session cookies are the safer choice.

When JWTs Are Appropriate

JWTs shine as short‑lived, single‑use authorization tokens. Typical scenarios include:

Issuing a token that is valid for only a few minutes to authorize a file download.

Ensuring the token can be used only once, after which a new token must be generated.

Keeping the main application’s authentication based on sessions while using JWTs solely for transient operations.

In such cases, combining sessions with JWTs provides a clear separation of concerns without misusing JWTs as a persistent session mechanism.

References

JSON Web Token Specification – https://tools.ietf.org/html/rfc7519 Security analysis of JWTs –

https://blog.prevoty.com/does-jwt-put-your-web-app-at-risk