alt Hacker NewsIn sessions vs. JWT revocation lists, there is an argument in favor of JWT revocation lists. JWTs have a limited expiry timestamp, so you only ever need to maintain a revocation list for tokens not expired yet. Given that you probably only have a fraction of JWTs revoked compare to valid JWTs in circulation, you only need to query a very small dataset for each request.
When using sessions, your list of valid sessions is probably orders of magnitudes higher that the revocation list - thus the data lookup costs and the storage cost of that statefulness is higher.
Plus, the article mentions JWTs are stateless but that is usually not true. You mostly not only validate the JWT, but also obtain a matching identity object (i.e. user details) for each request to see if the user is still enabled/authorized to do whatever he does. You can leverage stuff such as per-user revocation lists, or a minimum_issued_at that will validate any JWT iat field. This allows the "Logout from all devices" pattern, where that action will simply set a user's minimum_issued_at field to $NOW. All previous tokens will thus be revoked, without individuall revocation list checks.
Replies
Session data lookup is one select to database that gives 0..1 rows and uses index. In most cases this is not something you need to worry about.
> JWTs have a limited expiry timestamp, so you only ever need to maintain a revocation list for tokens not expired yet.
Sessions have expiration timestamps too, and you can configure them however you like.
The moment you have to look up the user object, you've lost the primary advantage of JWT, and might as well ditch it.