Using a jwt in a cookie to authenticate a user comes with several risk such as cross site forgery, bloated or too much overhead in the token & xss(cross-site scripting) attack. Since I discovered these risk after I found out about this method, I learned how to do it, but I wouldn't recommend using it.

We have a login route that we'll take a username & password. If the username & password are correct will create a cookie & a jwt. We'll put the jwt inside the cookie so it can be sent with the request. If the username & password are not correct, we'll redirect the user.

We just got redirected to the dashboard. If the cookie is authenticated, we will grab the jwt inside & verify it. If they're both correct we'll display the dashboard. This authentication will be repeated for other routes like dashboard.

Last route will be the Logout route. There will be a link to it in the route pages such as dashboard. When we click the link we will destroy the cookie & access to the jwt.