Limiting login attempts regardless of user?

Question

I have a login system requiring a username and a password. I want to display a captcha after a certain amount of failed login attempts. What is the proper way to implement this? I've read around on this site and some solutions suggest having a 'failed-attempts-count' added to the users table. However, I need the failed attempts to not be tied to a certain user - i.e. I'd like the captcha to be displayed regardless of whether or not the username that was entered exists in the system. Would storing this in a session variable be ok (I am using PHP)? If so, is there no downside to just throwing data as needed into session variables? I already have any a session id for every visitor on the site (either logged in or not) so I could create a table that relates login-attempts to this session id...any ideas on what the best / most secure approach is? Thanks.

Update: from the answers thus far, it seems like session ID is not the best idea since the hacker could simply clear his/her cache (but is this really an issue because wouldnt this slow down the brute force attack enough to render it useless?). The other option is by IP...but I am hesitant for users under an intranet or proxy since failed attempts will be shared....I can't really think of any other methods..can you?

Answer 1

The danger of using a session ID is that someone who writes a brute force attack can just clear his cookies with each attempt and thus giving him a new session.

Keep in mind that an automated brute force attack can be written in a scripting language outside of a browser that could manipulate the cookies sent for each request.

Another way to do this would be to create a table with user source IP's and add the counter there. This will inconvenience users using a proxy server though. But at least you will catch those trying to repeatedly guess passwords from the same location.

UPDATE: Having to clear cookies during successive brute force attempts would not slow down the attack as this process would be automated and happen almost instantly. Cookie manipulation in these types of attacks is quite common. Modifying a cookie is not the same as clearing your browser's cache (which typically takes a while because it needs to delete a bunch of files). All the attacker needs to do is prevent a cookie from being sent.