Quote:
Originally Posted by suzzer99
I agree with most of their points. I use JWT as a shortcut essentially - it comes back from our external SSO provider and I ask them to include a few pieces of information that I've previously given them, so that I don't have to make a round trip every time someone presents the key to me. We're not super concerned with not being able to invalidate a key, although I suppose at some point that could be an issue. Our JWT keys only last for an hour though.
We don't really use them to store dynamic session data - that would clearly be a mistake.
In our services architecture, we don't really have a guarantee that every service can access a central cache server, so using sessions isn't going to work for us, unless those servers won't need what's in the session. This actually might be true for us, I don't know, because we don't really have any kind of use for cached session data.
We have tried to keep everything stateless as much as possible. We will probably be breaking some of that soon, in an effort to speed up certain things, but all of the breaking will be local - that is, a single service might keep a sessiony-kind-of-thing that only it cares about. In our case this is going to kind of be a "cursor" into a set of search results for a user. We have this persistent problem where someone comes in and does a search and wants *all* the results. They get page 1, then 2 and so forth. There may be hundreds of pages. So we end up doing the same damn search hundreds of times. There's also a chance that they can miss or duplicate data this way, since there is a gap in time between pages. But anyway.