A method for tracking and identifying an identity of a user accessing a web application. An application normal behavior profile (NBP), wherein said NBP includes a plurality of authentication identifiers of the web application is generated. It is determined using the NBP whether an authentication request submitted by the user was successful. A first actionable data on a successful authentication request is saved. A second actionable data on an unsuccessful authentication request is saved.