Are JWT Tokens Considered Session Data?

JWT tokens aren't really intended to serve as a session storage solution. Sure, they can hold data, but the main use case for JWTs is when the service using the token is different from the one that issued it. So, they're not quite a direct alternative to session management, which keeps state across requests.

Important perspective here: JWTs were built for service-to-service authentication. If the issuer and audience differ, that’s where they shine. If you’re using the same service to issue and validate, it’s probably easier to use a simple opaque token stored in a database instead. Plus, keep in mind that JWTs can’t be revoked easily, which is a drawback for long-lived tokens like those used in sessions.

Technically, JWTs aren't considered session data. While they can be stored in session cookies, doing that limits their lifespan. JWTs function as cryptographically signed data and can be used in a ton of scenarios, like sharing information across devices without any HTTP context. It's way more versatile than just being tied to a session.

Honestly, I think people get too caught up in definitions. Whether you call it session data or not isn't as crucial as how you choose to use it. Focus on the functionality instead!

From what I've gathered, JWTs are generally meant for stateless authentication and not really for session data like shopping carts. It'd be a bit unusual to send a new JWT every time something changes in the cart, right? Just a heads up—this isn't my main area, but I've read similar things.