Originally Posted by marek_mar
You could force the user to have a session and that the user was on a login page before you let them log-in.
not sure what you mean. i suppose you mean something like:
- when the user requests the login-form, you start a session
- when the login-form is submitted, you chech ik there is a session.
please do tel me how you will now check how many logins a cracker already tried to make.
because he will just not accept sessioncookies (or will delete it after every logintry) and he will reload the login-form after each trial (reloading it by requesting the url, so without the SID added to the querystring)
so each logintry will create a new session and will be considered as the first attemp.