Every time someone asks me “should I use sessions or JWTs?”, I know what’s actually behind the question. They’ve read a few blog posts, seen the word “stateless” thrown around like it’s automatically better, and now they’re stuck. So let’s settle this properly - not with buzzwords, but with what’s actually happening on the wire and on your server.
Sessions: the “we keep a record at the front desk” approach Think of session-based auth like checking into a hotel. You show your ID once at the front desk, the staff verifies it, and they hand you a room key card. That card doesn’t contain your name, your passport number, or your booking details - it’s just a random number. The hotel’s computer system has all your actual information stored in their database, linked to that card number.