I look at JWT as an alternative to traditional cookie sessions, but I don’t see how they fundamentally differ from signed cookies, which, for example, Express offers through middleware, for example cookie-parser .
In both of these, the last part is the payload signature, which ensures that the payload has not been changed.
Signed cookie:
user=tobi.CP7AWaXDfAKIRfH49dQzKJx7sKzzSoPq7/AcBBRVwlI3
Equivalent to JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiVG9iaSJ9.kCTlR_Igb4H5cqBEDedShM2ivSQijPQkWqN4pZAXb2g
In addition to the facts that:
(1) JWT has no restrictions on origin and that
(2) the contents of the cookie are immediately read by the person, while the contents of the JWT (header + payload) are base64 encoded
is there anything that gives the JWT a distinct advantage over signed cookies?