> In a JWT, the token is signed and you validate the signature with a cert, and that cert is public knowledge.
JWT is a particular type of token. Not everyone uses JWTs because they have drawbacks — in particular, a self-contained signed token can't be revoked without maintaining some sort of blacklist of invalidated tokens. So you have to resort to expiration to make up for that I guess?
In my own backend projects I use session IDs that are simply long random strings that are stored in the database. I delete the row when the user logs out of their session.
A hacker would start salivating if they heard someone who built a product storing PII said what you just did about session tokens for your personal projects.
By the way, social media services like Facebook do store PII and have non-expiring sessions. And somehow, if someone's account is hacked, it's that person's problem, not Facebook's.
JWT is a particular type of token. Not everyone uses JWTs because they have drawbacks — in particular, a self-contained signed token can't be revoked without maintaining some sort of blacklist of invalidated tokens. So you have to resort to expiration to make up for that I guess?
In my own backend projects I use session IDs that are simply long random strings that are stored in the database. I delete the row when the user logs out of their session.