hey guys, how am I suppose to protect a route based on the user's session cookie?

My workflow is:
1. I send email and password to back-end and it returns a JWT.
2. I save the JWT in a cookie called session

Checking if the cookie session exists doesn't protect me from a tempered cookie.