JWT security debate resurfaces after FIFA hack
A thread titled 'Stop Using JWTs' got traction after the FIFA hack, with the framing that browser-based user sessions should not use JWTs. The top comment immediately qualified this: JWTs are fine for service-to-service communication, the problem is specifically using them for user session management in browsers. The article being linked is from 2019, which tells you something about how often this debate recurs.
The pattern is familiar. A high-profile breach reignites a security debate that the security community has been having for years. The underlying argument against JWTs for sessions is sound: you can't revoke them easily, they carry sensitive claims client-side, and most teams implement them wrong. But the 'stop using X' framing always generates more heat than clarity.
The Bash /dev/tcp thread ran the same day, where someone discovered you can make HTTP requests without curl by writing directly to /dev/tcp, but the response was appropriately cautious: fine for internal debugging, dangerous for anything touching remote services because HTTP/1.1 is harder to implement correctly than it looks.
So what?
If you are using JWTs for user sessions in a browser-based app, revisit the decision. Not because JWTs are inherently broken, but because stateless session tokens that can't be revoked are a liability when a user reports their account compromised. Opaque session tokens stored server-side are easier to reason about for user auth specifically.