JWT or session cookie for API for both web and mobile app?

Before going into the details I will say that both session cookies and JWTs work for your case and both are secure if implemented correctly. Personally I would go with JWTs if only because it's easier to get up-to-date information or ready-built solutions.


JWTs were really designed for stateless authorization in mind but you can still use them for sessions. You'll want to look in particularly at using an access/refresh token model where you keep track of active refresh tokens in your database.

As for encryption, there are two main implementation of the JWT standard, namely JWS (a signed token) and JWE (signed then encrypted token). What you want to keep in mind is that a signed token's signature already ensures the integrity of the token. You would only implement JWE if you are also passing sensitive information in the token that you want obscured from the client. However JWT by itself does not solve problems with man-in-the-middle attacks so you should remember to use SSL whenever transmitting the token.

Storage of the token will differ between your web app and mobile native app. For mobile apps you should store them in the OS's Keychain/Keystore (most likely through a wrapper) which is designed for such a purpose. Where to store JWTs on a browser on the other hand is still a rather controversial topic as storing in webstorage (sessionStorage/localStorage) is vulnerable to XSS-Attacks while storing inside a cookie is vulnerable to CSRF.

From what I can gather the general trend is to avoid webstorage due its larger attack surface, but to be honest I've seen examples of both methods. For single page applications you can also consider keeping the token in memory without persistent storage.

Session Cookies

Without knowing details of your mobile app it is hard to say but from my experience if you are using the CookieManager/NSHTTPCookieStorage mechanisms provided by Google/iOS there shouldn't be a problem of deleted cookies that you describe.

Storing cookies on the browser will require you to secure it against CSRF. For what protection you should use it will depend greatly on your specific server implementation and restrictions and I think you should check out the resources on OWASP or ask a more specific question.