Can't a system be DDoS'ed with wrongly signed JWTs as well?
Is signature checking (much) cheaper than finding an opaque session ID in a database?
Can't a system be DDoS'ed with wrongly signed JWTs as well?
Is signature checking (much) cheaper than finding an opaque session ID in a database?
Yes but it only impacts your stateless app servers which are easier to scale. Your backend services/stores are protected and not affected by the attack.