> JWTs are a silver bullet, but it's nicer than rolling your own signing scheme.

you can use HMAC to sign session cookies as well, the issue isn't about signing.