Hear me out: use JWTs as the cookie session value.

- Use ES256

- Always set the JTI to be completely random

- Set iat (issued at time) and exp (expiration time)

- Set iss (issuer) and aud (audience) to match your application

- Set sub (subject) to match whatever unique identifier you use for users

Store the hash of the JWT in your database with a lazy cleanup hook on the expiration time.

Now, you can use this JWT for a cheap WAF at the edge!

Token expired already? No need to query the database, reject.

Audience doesn't match the requested URL? No need to query the database, reject.

Signature doesn't match your public key? No need to query the database, reject.

Everything passes? Query the database for the token hash.

Token hash not in the database? Add the token hash to the WAF's cache (with lazy cleanup hook on the expiration time).

Everything passes but token hash in the WAF cache of rejects? No need to query the database, reject.

etc

See the benefit? It's defense in depth. If you screw this up, all you lose is the WAF layer.