Interview kitsBlog

Your dream job? Lets Git IT.
Interactive technical interview preparation platform designed for modern developers.

XGitHub

Platform

  • Categories

Resources

  • Blog
  • About the app
  • FAQ
  • Feedback

Legal

  • Privacy Policy
  • Terms of Service

© 2026 LetsGit.IT. All rights reserved.

LetsGit.IT/Categories/Security
Securitymedium

JWT pitfalls: when should you use JWTs vs server-side sessions?

Tags
#jwt#sessions#auth
Back to categoryPractice quiz

Answer

JWTs are good for stateless APIs and service-to-service auth, but they’re hard to revoke and can grow large. Server-side sessions allow easy revocation and rotation and are better for web apps where you need control and short session lifetimes.

Advanced answer

Deep dive

JWTs are useful but have sharp edges:

  • Good for stateless APIs and service-to-service with short TTL.
  • Hard to revoke; use short-lived access tokens + refresh token rotation.
  • Sessions (server-side) give central control, revocation, and MFA step-up.
  • Store tokens in HttpOnly, SameSite cookies; avoid localStorage.

Examples

Session cookie approach:

Cookie: session_id=abc123 (HttpOnly, Secure, SameSite=Lax)
Server validates session in Redis and can revoke instantly

Common pitfalls

  • Long-lived JWTs with sensitive claims.
  • Storing JWTs in localStorage (XSS risk).
  • Using JWTs when revocation is required (e.g., admin access).

Interview follow-ups

  • How would you implement logout with JWTs?
  • What claims should never be in a token?
  • How do you rotate signing keys safely?

Related questions

Next.js
Next.js App Router auth: how do you keep it secure and SSR-friendly?
#nextjs#auth#cookies
Architecture
Authentication vs authorization — what’s the difference?
#auth#authentication#authorization
Spring
Spring Security — where do authentication/authorization happen?
#spring-security
#filters
#auth