In my opinion JWTs in general and Guardian is appropriate for an API endpoint. Its not really geared towards web applications, for reasons that are well articulated in this somewhat salty article.
Cookie-based sessions work great. If you want a helper library, I can recommend doorman without reservation. We’ve been using it in production since January and have no complaints. We also use Guardian for our API endpoints (used by third-party applications - our SPA JSON endpoints still just use cookies).






















