client > server > DB
---------------------
login > query > create record in session_table
session_table (DB) sends back session_id to client
client, when making permissioned request, must send session_id
server then takes session_id and checks the DB's session_table for presence of session_id
Every device or re-login needs to create another session_id for a single unique user
Every cookie request need to be verified against the DB's session table to be authenticated on an action every time.
If you have many users, session table could have millions of dynamic rows and operations for everyday actions.
JWT removes the need for session_table and extra calls to the DB.
Upon client logging in, server generates the JWT with payload and secret key which is sent back to the client.
Client then stores this in cookies or localStorage.
This JWT is then sent with subsequent request to the server which the server alone can decode and verify the validity (no need to interact with the DB)