When managing user sessions, cookies can be configured to persist for extended periods. For instance, on platforms like Reddit, you might find a cookie named "reddit_session" set to expire only after several years. This is highly convenient as it allows users to remain logged in without re-authenticating frequently.
Not all session cookies are JWTs.
Session Cookies vs. JWTs
When evaluating authentication mechanisms, the key issue is choosing between a state-based (session cookie) and a stateless (JWT) approach. With session cookies, verification requires the server to query a centralized database for each request, making the system stateful by necessity. This constraint, however, allows session duration to be managed for very long periods, even years, since the validity can be revoked in real time by the server.
JSON Web Tokens (JWT), on the other hand, are self-contained: they include all the necessary information and are verified using a secret key, eliminating the need to consult a state store for each request. This makes them ideal for distributed environments. Since the issued token is valid until its expiration, to mitigate risks, it is common practice to set its duration quickly. Immediate revocation is a more complex operation than the session-based model.
Why JWTs must expire quickly?
When using stateless JWTs, the server loses direct control over their usage after issuance. If a user is forcefully logged out (e.g., due to an account ban or password change), the server cannot automatically invalidate the issued JWT.
- Problem: the compromised or invalidated JWT will continue to grant access to protected resources until its original expiration time is reached.
- Solution: by setting a short lifespan (e.g., 5 to 15 minutes) for the JWT:
- A forcefully logged-out user will have their access revoked within that short window.
- Once the short-lived JWT expires, the user must attempt to use a refresh token to get a new access token. At this point, the server checks the database and can deny the request, effectively blocking access.
Advantage of long lived session cookies
Many high-traffic websites do not rely on stateless JWTs for long-term sessions. Instead, they use long-duration session cookies combined with a stateful server check.
- Even if a cookie is set to last for months, the server performs a real-time check against a session table in the database with every request.
- If the user’s account is disabled or the session is explicitly revoked, the server simply removes the session record from the database.
- The next request using that long-lived cookie will fail the database check, and the user is immediately logged out. This makes the approach more secure, as the duration of the cookie is irrelevant; the server can invalidate the session instantly.
Conclusion
If the architecture is stateless (like in microservices) and you need to avoid the overhead of constant database lookups for every single request, the optimal choice is using JWTs. In this scenario, it’s absolutely crucial to set a short expiration time for the token. Conversely, if the primary need is immediate and real-time control over the user session, then utilizing long-lived session cookies is more appropriate. These cookies must always be backed by a centralized database check on every request.