Serialize Cookie as JWT

[lukasa1993]

Currently remix already stores JSON in cookie with base64 and with secure keys it already signs so its half way there might as well go all the way to RFC spec of JWT in cookie we can use JOSE which supports all runtimes that remix does and has encryption as well and all other features and goodies that JWT spec comes with

[lukasa1993]

sample implementation: https://github.com/remix-run/remix/compare/dev...lukasa1993:jwtcookie?expand=1

not suggesting as PR since it will break existing cookies but maybe under V2 ?

[shamsup]

I don't see the benefit this provides over signed cookies aside from sending encrypted data.

• What's the value in being able to send encrypted data to a client if they shouldn't see it anyway? I could maybe see a use-case for some service with all the state stored in the token, but that seems pretty unique and probably a case to roll your own implementation anyway.
• When would I want to verify the source of a cookie on the client? The headers required beyond the signature are pure overhead and increase the size of cookies, especially for non-cookie-backed sessions, (ie database-backed sessions). The server can already verify the cookie's authenticity by knowing the signing keys.

You can use JWTs for sessions right now by foregoing Remix's cookie and session helpers in favor of your own implementation. The helpers are not required to use sessions in Remix.

[lukasa1993]

this would help to put remix in bigger system with many consumers not just web and at its basic its exactly same as cookie signing it will allow more complex solutions on top of it out of box without removing or restricting anything existing