security for web applications session vs token

Question

Background:
I am developing a web application, planned to use spring-mvc and spring security. My plan is to use form based authentication where

Answer 1

• For Stateless application use JWT
• For third party applications use OAuth2
• For Statefull application use Session + CSRF

Answer 2

Most often, it depends on your clients. For example, for mobile clients (e.g. JSON payload over HTTP), there is no such thing as a Session.

JWT

• JWT has the advantage to work cross-origin over different domains
• Therefore, JWT based authentification scale better
• very popular in the age of single-page applications (SPA) / Web API's
• keep attention to integrity protection by using either a signature or a MAC. Do not allow the unsecured JWTs: {"alg":"none"}

Session

• primarily used in conjunction with web browsers
• Easier to invalidate (remove) a Session. JWT has only an expiration date and is valid until it expires
• keep attention to the following cookie attributes: secure; HttpOnly and to provide some protection against cross-site request forgery attacks: SameSite=Strict or SameSite=Lax

Other approaches: Open Source Identity Providers like Keycloak with e.g. traefik as load balancer have become quite popular. This brings the advantage, that new routes can go live without restarting any service. Also, in some cases, it saves application downtime caused due to an excessive rate of API calls.

To conclude: Many roads lead to Rome. It always depends on the specific requirements, the environment and the skills of the team. Since you anyway use Spring MVC and I guess scalability is not critical, just go with the one you are more comfortable..