Maintaining STATE with JWT (Get full controll)
Maintaining STATE with JWT When I start building REST API, I wondered how JWT works. It felt like something magical, that we can verify authorized users without using the session ID. It saves a lot of storage at the server-side and we don't have to query the database for each and every request (to check whether the session ID exists and whom it belongs to). I thought that sessions will die soon and every application will implement JWT. But it wasn't right. Sessions are still better than JWT in many cases. Let's see a few scenarios where JWT really sucks. The token is still valid after the password reset. The token is not invalidated even if the account deleted. The server cannot invalidate the token after logout. (technically there is no real logout, the token is valid until it expires). You cannot control how many devices can be logged in at a time. The above-mentioned issues can only be solved by tracking the state of the application. So tha...