I am using AWS Cognito in my application to authenticate users. AWS provides us with JWT token. My question is do we need to use express-session for handling session management, or will the JWT token provided by AWS Cognito take care of session management for authenticated users.
When you use Cognito JWT tokens, you don't need an explicit session handler.
You can send the JWT token to the client side and store it in the web browser (Local storage, Session storage or Cookie) which provides the persistence of the state(Acts as the session and will be valid for the token duration).
For all the subsequent requests you need to send the JWT in authorization headers back to your express server.
This is will have advantages over the sessions where if your API is consumed by clients other than web browsers such as mobile apps where it enables to implement unified state management.
To minimize the risk of storing id tokens in the LocalStorage for applications that requires high security, make the token duration small and generate new tokens using a refresh token.
Note: You will need to use Cognito Autorization code grant flow to get the refresh token if you use the Cognito Hosted UI .