Timely -- I've just been digging through the state of play on session management for web apps, something I haven't worried about for 20 or so years, and the documentation out there is surprisingly chill with regards to best practices, security considerations, etc. I wanted a sort of cookbook that like djb had approved, and there is no such thing that I can find.

For the average web app, it feels like JWT introduces some complexity (and footguns like this) for no real benefit. I mean, you can avoid a session lookup from redis or something, but that's hardly an expensive part of a request. You can always optimise hot, non-session requests (e.g. private image serving can use signed URLs)

Also, you can't revoke sessions ns unless you have a revocation list, in which case, why not just have a session list?!

Genuinely interested in real use cases for JWTs.

Edit: Maybe I'm misreading. I thought the domain was changed from "breakthroughjuniorchallenge.org" to ".breakthroughjuniorchallenge.org" but maybe it was changed from nothing (which might display as "breakthroughjuniorchallenge.org" in browser debug tools but really is a host-without-subdomains cookie) to ".breakthroughjuniorchallenge.org", which should be the same as changing it from nothing to "breakthroughjuniorchallenge.org" too, I think.