Does it make sense to use stateless JWT (without persistent storage) over plain SHA256?
Example scenario:
-
User logs in
-
User token generated as follows:
a. JWT.encode(userId, ‘secret’)
or
b. SHA256(userId + ‘secret’) -
Client app sends request with userId and token
-
Request is verified via:
a. JWT.decode(token, ‘secret’), then checking that resulting JWT.userId compared to request userId
or
b. SHA256(userId + ‘secret’), then checking that resulting hash compared to request token
JWT allows token expiration, however beyond that I don’t see any benefit?