I think I'd better to use sleep(rand(5, 10)); for after xx tries with session cookie validation.
I think CAPTCHA is most suitable way coz almost all sites on the web use it already.
So are there any valunerablities or weakness on CAPTCHA ?
Some Captcha are done by means of md5(secret_key+random_num).
can they said secure ? coz once we get secret_key, .....