As per the JWT spec: “ Finally, note that it is an application decision which algorithms may
be used in a given context. Even if a JWT can be successfully
validated, unless the algorithms used in the JWT are acceptable to
the application, it SHOULD reject the JWT.”
There is no reason you can’t keep a list of valid “session” identifiers and check the JWT is valid against that as part of verification. Then the only state you need to store server-side is the identifier. You get the exact same benefits of server-based session stores without needing to store the entire session on the server - just the identifier.
There is no reason you can’t keep a list of valid “session” identifiers and check the JWT is valid against that as part of verification. Then the only state you need to store server-side is the identifier. You get the exact same benefits of server-based session stores without needing to store the entire session on the server - just the identifier.