you can just use a join on the server to issue one select to find the data from the session id.
thought of doing this, but this means I will end up writing my own session logic anyway, right?
If you "trust" the JWT token containing a user id and that's your only entry point to validate the user session then you have a security issue because if the JWT is stolen first you won't know it and second the attacker can impersonate the other person
Doesn't this apply exactly the same to server based sessions? If the session id or the cookie containing the session id was stolen, the attacker can very easily impersonate the victim just by adding it to his cookies.
thought of doing this, but this means I will end up writing my own session logic anyway, right?
Exactly, which I would avoid.
Doesn't this apply exactly the same to server based sessions? If the session id or the cookie containing the session id was stolen, the attacker can very easily impersonate the victim just by adding it to his cookies.
Yes, exactly. So why not just use an existing implementation? JWT are not secure by default, you need to put them in a secure httponly cookie which is basically what you're going to accomplish by using sessions anyway.
thought of doing this, but this means I will end up writing my own session logic anyway, right?
Doesn't this apply exactly the same to server based sessions? If the session id or the cookie containing the session id was stolen, the attacker can very easily impersonate the victim just by adding it to his cookies.
I am using Express 4/Node.js
Exactly, which I would avoid.
Yes, exactly. So why not just use an existing implementation? JWT are not secure by default, you need to put them in a secure httponly cookie which is basically what you're going to accomplish by using sessions anyway.
JWT is just a token, it's not magically secure.
For Node.js maybe Express Session will do?
A tutorial: medium.com/of-all-things-tech-prog...
ps. I'm not trying to say "never use JWT" it's just that I don't see the benefits in this particular case