How do you keep a user logged in?
Sessions (Stateful)
- User logs in.
- Server creates a session ID in DB/Redis.
- Server sends ID as a HttpOnly Cookie.
Pros: Revocable (Admin can ban user instantly). Secure.
Cons: Needs database lookup on every request.
JWT (Stateless)
- User logs in.
- Server signs a JSON token (Header + Payload + Signature).
- Server sends token. Client stores it.
Pros: No DB lookup. Server scales infinitely.
Cons: Hard to revoke (Need Blacklists). If key is stolen, attacker has access until expiry.
Conclusion
For monolithic apps (Django), stick to Sessions. They are secure and battery-included.
For Microservices, JWT is the standard.