Hey, we have PHP-based app with React web app and Android client. Our app is using JWTs right now, but it's a bit messy implementation and we want to refactor it or even totally switch to sessions

Why? Because few factors which are difficult on JWTs:

• App is multi-tenant i.e. user can belong to multiple groups, then send request to endpoints like api.service/{tenant_id}/payment - we use httpOnly, secure cookies to store tokens/jwt, so they are totally invisible for app. User should be able to login into multiple tenants at the same time and right now it's problematic, because we have only one cookie for that. Mobile apps use Bearer token, but web app can use only these cookies so it's real problem. With session, we can control that on server level
• Performance is often argument for JWTs, but we want to utilize redis to store sessions + also app is something like modular monolith, it's gateway for everything, so we do not utilize JWT advantages like easy access to multiple distributed services
• Revocation: tenant admin should have ability to quicky remove access for specific users and with JWTs it's harder. We can use blacklist, also on redis, but it means every request we need to validate this... looks like very similar to session operation - but maybe I am wrong?
• Overall in each connection app must get some users data, so even if we have JWT, we still need to call DB... and each request make a lot of them, so it does not look like a big issue with just additional redis call
• Handling session can be much simpler than adding generating tokens, refreshing etc. - ok, there are some great libs for that, but sessions are still just native

I'm not sure, but looks like in our case sessions will be the best, but maybe I've missed something and should include that? Any feedback is really welcome!