Isn't it effective to never let the JWT expire so that user automatically logs in? Is there a security problem with it?
I don't want to use session and or cookie. They are ineffective.
IMO, it is effective in case the token gets stolen. If you have an infinite expiration time, the intruder has access to the protected resource for the lifetime. Think of it this as your password for personal mail. It is often a good idea to change it periodically so that if someone has obtained your password without your knowledge, he won't be able to access your email again after that. Having said that, it is not compulsory to have the expiration time. according to this
The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.