Why Cookies

When working with authorization you usually pick between cookie based and JWT based systems.

I've worked with both and had the same experience with JWT every time.

On the surface JWT seem easier to work with since you don't have to maintain state. Cookies are complicated because you need all your services to share the same sessions system.

So you implement JWT thinking that auth is done. You might even use a third party provider that provides JWT, like Auth0.

At first this will work, but over time you will notice issues happening.

Since you have no central session store you don't know when someone was logged in, so you usually add a field called lastLoginAt to your users. But now you only know the last login, not all logins.

Your users will ultimately want to see all their logins and when you can't provide that it looks very bad.

So you add a logging layer so you can see all the times a user has logged in, but at that point you should have just built a central session store.

Lastly, eventually a user will have a security breach. It most likely won't be your fault, and will come from them.

At that point you want to log that person out of all of their accounts as soon as possible, but since you don't have a central sessions store you can't.

You now have two options Ban/lock the user account until all JWTs expire or build something that tracks JWTs per user and stores them so you can blacklist them... which is a session store.

You should have built a session store in the first place.