In my experience JWT or OAuth tokens are not a(n easy) replacement for good old session cookies. I was trying to leverage them in order to build a stateless auth layer but then faced issues with
- where to securely store them in the browser (cfr.
HttpOnlysession cookies and XSS vulnerabilities) - plain and simple logout mechanics (problematic with JWT or any stateless token)
- the considerable engineering efforts required which, in my case, were just too much (we didn’t need SSO, for intance)
My current thinking is that OAuth2 can offer many extra features compared to plain session cookies, SSO and server-to-server authentication above others, but when it comes to managing web sessions I still think session cookies are still quite a valid option. I might even consider to go as far as using them even if OAuth2 is employed, exchanging the access token for a session cookie (or using the access token itself as such), just for the sake of XSS mitigation.
Some relevant content: https://medium.com/@yuliaoletskaya/can-jwt-be-used-for-sessions-4164d124fe23