Why Many Developers Discourage Using JWT (JSON Web Token)

Why Many Developers Discourage Using JWT

JSON Web Token (JWT) is a compact, URL‑safe means of representing claims to be transferred between two parties. It is often used for authentication in web applications, but its safety and suitability are frequently questioned.

What Is JWT?

JWT stands for JSON Web Token. It is essentially a JSON object that can be signed to verify its authenticity. The official site is https://jwt.io/ . A JWT typically contains user information such as username, roles, and permissions.

How JWT Works

When a user logs in, the server generates a JWT and sends it to the client. The client includes this token in subsequent requests. The server validates the token’s signature and extracts the claims to authorize the request. If validation succeeds, the user gains access to protected resources.

Why JWT Is Considered Problematic

Size : Storing a simple user ID in a cookie may take only a few bytes, whereas encoding the same ID in a JWT can increase the payload size by dozens of times, adding bandwidth overhead.

Redundant Signature : Modern web frameworks already provide signed (often encrypted) session cookies, offering the same security benefits without the extra JWT layer.

Token Revocation : Because a JWT remains valid until its expiration, there is no straightforward way for the server to revoke it early, which can be dangerous if the token is compromised.

Stale Data : Changes to a user’s permissions (e.g., demotion from admin) are not reflected until the token expires, potentially allowing continued privileged access.

Lack of Encryption : JWTs are usually only signed, not encrypted. An attacker who can intercept the token can read its contents and impersonate the user.

Security Considerations

For deeper analysis, see research such as Securitum’s JWT security article and practical attack guides like FreeBuf’s JWT attack tutorial .

Conclusion

JWTs are suitable as short‑lived authorization tokens for transmitting claims between services. However, they are ill‑suited for long‑term session management due to size, revocation, and security concerns. For persistent sessions, traditional signed cookies or established session mechanisms are generally safer and more efficient.