Contrast stateless JWT authentication with server-side sessions: how each works, and the real trade-off around revocation. Explain the access-token + refresh-token pattern — why access tokens are short-lived, where each is stored, and how refresh-token rotation with reuse detection works. Then explain the concrete risks of putting a JWT in localStorage vs an httpOnly cookie, and how you would revoke a compromised token before it expires.