cryptography – How to securely store and use session IDs

I’m not sure what’s the option to store and manage session IDs for long lived sessions (3-6 months each).

Given that the session ID is generated with enough entropy and that the session ID is then given to the user via SSL and a Secure, HttpOnly cookie, these are the options I came up with for storing the session ID:

  1. Just store the session ID in plain text in the database or file system
    • Pros: fast, easy
    • Cons: any compromised backup or unauthorised access to the database gives access to all active sessions
  2. Give both a session ID and a session key to the user and hash the session key before storing them into the database
    • Pros: secure both if the user compromises the server and the database
    • Cons: possibly slow (IIRC cryptographically safe hashing functions are intended to be slow) for something that needs to occur at every request
  3. Create a signed JWT token over that session ID with a secret stored on the server
    • Pros: probably faster than hashing, bigger tokens (as in length)
    • Cons: not secure if both the server and database are compromised

What the recommended way to manage and most importantly store sessions?