-2

With sessions you can easily monitor and track how many times a user tries and fails to log in, and when the number of failure is higher than a certain number, you just kick it request off, in order to prevent a hacker to query the database too many times and to gess the credentials. Is there any strategy available to monitor user log-in attempts using pure Jason web token approach?

The only solution I managed to find so far is to use session for the log-in page and when the user is logged in I just use JWT for each request. Because user log-in once in few weeks, thanks to jwt, the server overload should be small, I presume. What do you think about this strategy?

Cleber Jorge Amaral
  • 1,316
  • 13
  • 26
Marck Duilberg
  • 37
  • 2
  • 8
  • I know that I can use captcha, the IP adress e the session. What I am interested to know is if there is a way to use jwt that allows me to monitor how many times a user tried to log in. For example i could use a jwt token for a failed log in and monitor the log in with that token, but it can be easily deleted. – Marck Duilberg Nov 23 '15 at 10:02
  • That should be an edit to the question, not a comment. – Tom Zych Nov 23 '15 at 10:12

1 Answers1

2

Preventing brute forcing on forms can be done in multiple ways. Some common methods are:

  • Using a captcha
  • Logging the IP address and amount of login attempts
  • Logging login attempts using sessions

Captcha

A captcha is a good method to prevent brute forcing. However, visitors might find this annoying. Google's new captcha places a button below your login script. This button says: 'I am not a rabot'. By the way in which you click this button, google can determine if you are human or not. I find this to be the best method.

Logging the IP

You see this method being used on alot of fora. You'll have to wait 15 minutes after 5 failed login attempts. This prevents users from trying multiple logins.

Session logging

This works the same as the IP logging, however session can easily be manipulated.

Resources

In this question you can find alot more information about preventing brute forces.

Community
  • 1
  • 1
Peter
  • 8,776
  • 6
  • 62
  • 95
  • I know that i can use sessions. But my question is: is is possible to determine how many times a user has failed to log in just with jwt? I could use session only on the log-in page but the session token can be easily deleted from the browser so if the hacker delete the token i can not keep track how many times it is attempting to log in. The ip method is not that reliable because it can be changed. – Marck Duilberg Nov 23 '15 at 09:57
  • I know that I can use captcha, the IP adress e the session. What I am interested to know is if there is a way to use jwt that allows me to monitor how many times a user tried to log in. For example i could use a jwt token for a failed log in and monitor the log in with that token, but i can be easily deleted. – Marck Duilberg Nov 23 '15 at 10:00
  • I have no experience with jwt, but if it produces a unique token, you could save that token in the database and count the login attempts that way. – Peter Nov 23 '15 at 10:01
  • but to check the token you have to read the database every time the hacker send false credential. – Marck Duilberg Nov 23 '15 at 10:06
  • @MarckDuilberg You could do this with a limit. For example after 50 failed login attempts the IP address is banned. – Peter Nov 23 '15 at 10:14