I am building a production website and plan to have a large amount of users with different roles. My current practice is redis/sessions containerized auto scaled Elastic beanstalk deploy. However as users increase would it be wiser and most cost effective to use a JWT? It sounds nice, but the idea of it being in local storage seems to be to large security risk? I just want to build it right to save headaches later down the line.
For starters, consider that JWT is not a replacement for session storage. You’ll need to store any session-state data elsewhere after a move to JWT. JWT will give you authentication and authorization through claims. The token itself is signed, so you can and should verify the signature to ensure authenticity. JWT is good for stateless apps, SPA apps or cross application authentication.
Secondly, consider how large you expect to scale to. Using Redis for session storage is very likely to take you very far before you need something more. Expect that limit to be well over 1k req/sec. At that time, it’s very likelyyou’ll have far more issues to resolve in your architecture. Sharding your sessions across multiple Redis instances will be an option for growth as well.
In the meantime, optimize your use of session storage. Don’t overuse it beyond auth. The more you do, the more painful the migration to JWT will be.
Some final thoughts: Do your research. Don’t prematurely optimize. But your head is in the right place to be thinking about it.