The subject is very broad… I’ve explained before why I think JWTs are useful here and why they don’t necessarily compare to session cookies.
Just so people don’t get it wrong, OWASP has a dedicated session on JWT (using Java) and considerations one should take into account when using it for authentication (it is here). It also has many considerations for all other kinds of authentication. Even cookie based session management.
At the same time it advocates the use of OpenID Connect as a widely adopted specification for identity providers and that protocol uses JWTs a lot. As do OAuth. They are not meant for your use case. Your architecture is a very simple web app that a session cookie might be enough.
In any case, I think that associating JWTs with an authentication system is not correct. I think it is a tool that has use cases as diverse as ensuring a signing and encryption set of algorithms implemented in a wide variety of languages in a variety of libraries.
But just to reiterate: your use case is simple and an HTTP session cookie with any opaque id (shouldn’t be guessable by the frontend) with httpOnly flag set is good enough security (nothing is 100% safe anyway). For other cases with distributed services that won’t be enough in my humble opinion. Nonetheless, you shouldn’t start with an OAuth/OpenID server if you don’t really know you are going to need it.
