I am torn between using client-side (namely JWT) and server-side login session management. It is a personal project for learning, but I would like to have some concrete guidelines, or DOs and DO NOTs, for future projects.
The website I am deploying does simple CRUD REST operations; therefore, my intuition is to use stateless login authentication. According to this question on session management, for a truly stateless application, the server should not store any session information, and JWT, cookies, tokens, are recommended.
The issue I soon ran into is logout using JWT. There is no way to completely logout using tokens, because they are stateless. Some suggest using a database to store black-listed tokens, but that contradicts the stateless nature of the server in the beginning.
Also, aren't sessions just cookies with session ID with sever-side information, similarly to JWTs with server-side blacklist? If this is true, why do SPAs prefer tokens to sessions?
Please give concrete examples, and specific reasons on when and when not to use one over the other. Thank you.
