You can automatically start a session for each person who hits your site. Then in the session variable, store the number of login attempts and if they are blocked, a time when they will be unlocked.

When processing the login, if the password and username does not match and the time limit has not expired and the number of tries has been exceeded, display a message to the user.

Your database table could look like this:

sessions
==========
id
num_tries //Number of login attemps
block_expires //If they are blocked, when they can be unblocked.

This approach assumes that the user will assume a session cookie. They can easily get around this by clearing their cookies.

In order to mitigate that some what, you can build some smarts into the process:

• If the logins are coming from the same IP address AND the account they are trying to access does not change, then block the account (not the session!) for a set period of time.