I think there's way too much hype around it and people are using JWT because it's shiny!
I think they all suggest JWT because it's easy to setup and lots of tutorials about single page applications just re-iterate that since it can be controlled by JS.
So are cookies. Cookies are just an HTTP header. Any HTTP client can read and set headers. The cookies header also has 20+ years of security and functionality built in to it for browsers (HTTPS only, expiration, site scope, blocking access from JavaScript) and there are well known and understood fixes for issues like CSRF tokens for forgery.
Exactly. That to me is the weakest argument
There was a really interesting discussion one year ago about using JWT and the local storage here if you're interested:
I think they all suggest JWT because it's easy to setup and lots of tutorials about single page applications just re-iterate that since it can be controlled by JS.
Exactly. That to me is the weakest argument
There was a really interesting discussion one year ago about using JWT and the local storage here if you're interested:
Please Stop Using Local Storage
Randall Degges ・ Jan 30 '18 ・ 11 min read
This is my favorite resource so far on the argument JWT and sessions: Stop using JWT for sessions, part 2: Why your solution doesn't work
ps. dev.to doesn't use JWT for the session, just to store additional user info.