JWT (stateless): client stores token. Good for APIs, multi-service, short TTL. Harder to revoke globally.
Server sessions (stateful): server stores session (cookie id). Easy revocation/rotation, simpler CSRF handling with same-site cookies.
Rule of thumb: default to server sessions for web apps; use JWT for mobile/API or where you truly need statelessness.