Developers keep reaching for JWT to keep users logged in, but a growing consensus warns against it. The JWT spec caps token lifespans at five minutes, far shorter than typical session needs. Without server‑side state, stateless authentication cannot be secured reliably, making plain cookie sessions a safer, more flexible alternative and widely supported by browsers.

A 2016 blog post and a recent conference talk detail the practical flaws: JWTs stored in local or session storage expose credentials to XSS, and token replay attacks thrive without proper revocation. The talk recommends express‑session with a store connector such as connect‑session‑knex for Node.js, letting developers leverage existing framework support instead of rolling their own JWT logic and simplifies compliance with CSRF defenses.

When a short‑lived signed token is truly needed, the PASETO specification offers stronger guarantees and avoids the JWT family’s design flaws. Security experts cite Google’s own use of JWTs only for SSO, not browser sessions, underscoring the distinction. Switching to cookie sessions eliminates the need for custom token handling and aligns with proven web‑security practices; developers can rely on built‑in expiration checks.