0

when i read the documentation of JWT, I understood that we do not need to use session for saving user data because it is encrypted in the request header and actually JWT is stateless.

But I want to remove JWT token, if my user is deactivate..

In this case, in my JWK middle-ware, after validating the Token i have to get a query in my mongoDB for checking if that user is active or deactive.

so it is not stateless and on the other hand it is a big overload for mongoDB because mongoDB is not good database for saving session!! so i need Redis.. and if I want to use Redis what is difference between session and cookie and JWT?

hossein derakhshan
  • 771
  • 2
  • 10
  • 23

1 Answers1

0

As you mentioned, JWT token can carry arbitrary user-associated information. The communication remains stateless since the server does not remember what was the state of this particular client during a previous request. You have to supply the context with every request, which you do in form of the JWT token.

As long as the context is small it is alright to put it all in the token. When there is a lot of context, passing it around with each request may not be optimal anymore. This is when you need to switch to storing the state on the backend.

To this extent, JWT and cookies are similar mechanisms of carrying the context between requests. They are both subject to a size boundary when you have to decide whether a backend session store should be used to reduce the size of the data transmitted within each request.

Nic Nilov
  • 5,056
  • 2
  • 22
  • 37