Why Many People Discourage Using JWT (JSON Web Tokens)

Why Many People Discourage Using JWT?

If you often follow online project tutorials, you will notice that many projects use JWT. This article explores whether JWT is safe and why many developers advise against using it, covering its advantages and disadvantages in detail.

What Is JWT?

Official site: https://jwt.io/

JWT stands for JSON Web Token. It can be thought of as a JSON payload that can be verified as coming from a trusted source.

The typical flow is:

When you log in, the server generates a JWT and sends it to you.

The JWT contains information such as username, roles, and permissions.

For each subsequent request, you include the JWT.

The server validates the token’s signature and checks the claims to confirm identity and permissions.

If validation succeeds, you can access protected resources.

Why Is JWT Considered Bad?

Typical use cases for JWT include user registration, login, performing actions, and storing or updating user data in a database.

Size Overhead

Storing a simple user ID in a cookie may take only a few bytes, whereas the same ID encoded in a JWT can be roughly 51 times larger, increasing bandwidth usage.

Redundant Signatures

JWT’s main selling point is its signed payload, but most modern web frameworks already provide signed (and often encrypted) session cookies, offering the same benefits without the extra token layer.

Token Revocation Issues

Because a JWT remains valid until it expires, there is no simple way for the server to revoke it early, which can be dangerous in scenarios such as logout or privilege changes.

Stale Data

If a user’s role is downgraded, the change does not take effect until the JWT expires, allowing the user to retain higher privileges temporarily.

Lack of Encryption

JWTs are typically not encrypted; anyone who can intercept the token can read its claims, making man‑in‑the‑middle attacks a real threat.

Security Concerns

For more detailed security analysis, see: https://research.securitum.com/jwt-json-web-token-security/ And for practical attack tutorials: https://www.freebuf.com/articles/web/375465.html

Conclusion

JWTs are suitable as short‑lived authorization tokens for transmitting claims between two parties. However, they are not ideal for long‑term session storage; traditional session cookies provide a more mature and secure solution for persistent authentication.

For learning or non‑production projects, using JWT is acceptable, but in production environments you should be aware of the outlined drawbacks and consider alternative approaches.