June 16, 2026
Token drama hits cookie season
Stop Using JWTs
Internet erupts as coders fight over the ‘login shortcut’ some say should be banned
TLDR: The article argues that websites should stop using JWTs to keep users logged in and go back to regular cookie-based sessions, which it says are safer and simpler. Commenters turned it into a full-blown feud, with some cheering the warning and others insisting JWTs are fine when used carefully.
The post’s message is basically: stop using JSON Web Tokens, or JWTs, to keep people logged into websites. In plain English, that means the author thinks a trendy “modern” login method has been wildly overused, and that boring old browser cookies are actually safer and smarter for most sites. The article goes hard, calling “stateless” logins a fantasy, warning that storing login secrets in browser storage is a bad idea, and even name-dropping PASETO as the supposedly better option for short-lived tokens.
But the real fireworks are in the comments, where the crowd instantly splits into team ‘burn it down’ and team ‘calm down, it depends’. One commenter tied the whole thing to the recent FIFA hack like a digital ghost story: a spooky “just a reminder” that security shortcuts can come back to haunt you. Another jumped in with the classic internet correction: this warning is really about browser logins, not every use of JWTs everywhere. Then came the eye-roll brigade. A deadpan “2019” landed like a meme, basically suggesting this debate is ancient and people are once again relitigating the same nerd civil war.
The pushback got spicy fast. Critics argued the anti-JWT case is overdramatic because you can still revoke bad tokens, keep them short-lived, and refresh them safely. Supporters, meanwhile, treated JWTs like the tech world’s favorite overhyped life hack: flashy, everywhere, and secretly making things worse. In other words, the comments read less like a security discussion and more like a reunion episode where everyone still has receipts.
Key Points
- •The article argues that JWTs should not be used for browser-based user login sessions and recommends regular cookie sessions instead.
- •It states that JWTs are intended for very short-lived tokens, while user sessions generally require longer lifetimes.
- •The article claims secure authentication cannot be truly stateless in practice, because token handling still requires server-side state.
- •It advises against storing authentication credentials, including JWTs, in localStorage or sessionStorage.
- •For short-lived signed tokens, the article recommends PASETO and says frameworks such as Express can use standard session middleware and backing stores.