Why Using JWT as Session Storage Is a Bad Idea: Risks and Misconceptions

Many people use JWT for session management, which is a poor practice; this article explains why.

JWT comes in two forms: a stateless JWT that contains session data inside the token, and a stateful JWT that only carries a session ID while the data remains on the server. The discussion focuses on the stateless variant.

Using JWT as a session mechanism is unsafe for several reasons.

Comparing cookies versus JWT is meaningless—cookies are a storage mechanism, while JWT is a signed token. The proper comparisons are sessions vs. JWT and cookies vs. Local Storage.

Claims about JWT advantages

People cite benefits such as easy horizontal scaling, simplicity, security, built‑in expiration, CSRF protection, and the ability to work when cookies are blocked. The article examines each claim.

(1) Easy horizontal scaling

Embedding session data in a JWT makes servers stateless, seemingly aiding scaling, but mature solutions like Redis or dedicated session stores already handle this without storing data on the client.

(2) Simplicity

Managing sessions yourself in a token is not simpler than using built‑in cookie sessions.

(3) More secure

JWTs are signed, not encrypted; cookies can also be signed or encrypted, and transport security (TLS) is required for both.

(4) Built‑in expiration

Expiration should be enforced server‑side; client‑side expiration cannot prevent token theft.

(5) CSRF protection

CSRF attacks stem from automatic cookie submission. Using JWT does not eliminate CSRF if stored in cookies; storing in Local Storage avoids CSRF but introduces XSS risks. Proper CSRF mitigation uses CSRF tokens. http://xbank.com/transfer?to=123&money=1000 A malicious site could embed an image request like the following to trigger a transfer:

<img src=http://xbank.com/transfer?to=456789&money=1000>

(6) Works when cookies are blocked

When users block cookies, they often block all local storage, rendering JWT unusable as well.

JWT disadvantages

(1) Large size

Embedding session information inflates the token size, potentially exceeding cookie limits and increasing network load.

(2) Insecurity

If stored in cookies, JWT offers no advantage over traditional sessions; if stored elsewhere, it inherits other security issues.

(3) Cannot invalidate individually

Unlike server‑side sessions, a JWT remains valid until its expiration, making immediate revocation impossible.

(4) Stale session data

Changes to user roles are not reflected until the token expires, leading to outdated information.

Conclusion

JWTs are unsuitable for session storage; they are better suited for short‑lived, one‑time command authentication. The goal is not to denounce JWT, but to highlight its misuse as a session mechanism.