Are you using JWTs for user sessions in the correct way?

JSON Web Tokens (JWTs) are widely used for OAuth but their use in user session management is debated due to certain pros and cons. While JWTs offer benefits such as reduced latency by eliminating database lookups, they are criticized for issues like difficulty in revocation and susceptibility to security breaches if the signing key is compromised. The article explores these pros and cons, debunking several myths about JWTs, such as their perceived ease of use and security advantages. A hybrid session management approach using both short-lived JWTs and long-lived opaque tokens is proposed, aiming to balance scalability and security by using JWTs for session verification and opaque tokens for refreshing sessions. This method addresses several drawbacks of JWTs, including revocability and monitoring user devices, while maintaining their primary advantage of reduced latency. The article concludes that while JWTs are beneficial for scalability, using them exclusively for long-lived sessions may not be ideal, and a combined approach might offer a more secure and efficient solution.