How to lock user account on 5 unsuccessful attempts

Question

I have a website developed using asp.net/C#. I would like to lock an user account on 5 consecutive login failures within a time period of 30 minutes. I do not want to do this on database side. And I know this is cannot be done by session variables. I also do not want to use cookies for this, as a user can easily disable cookies.

Is there a perfect way to do this with above limitations?

Answer 1

So, no cookies, no session data, no database. Okay, but you need to store the bad-login information somewhere. And it will have to be server-side, because you can't trust any data from the client. So that means a database, or a file, or a magic hat — but you'll need something on a server somewhere holding this data. Options I see:

• Your own server
  • Database (I know you said you didn't want this, but it's the right thing)
  • File
  • ...
• Someone else's server
  • Database (Amazon SimpleDB?)
  • Google docs spreadsheet (but again, a database is what you really need)
  • File in an S3 or similar container

You get the idea.