Well I would check for the session where you said and I would not allow a login attempt without a session at all. The fact that the attacker would always have to visit the loginform and keep the session to attempt a login should slow his attack speed down enough.
I'm not sure if this was any help, but I hope it didn't make you stupider.
Experience is something you get just after you really need it.
PHP Installation Guide