Tracking login attempts using cookies PHP

Question

I have been given a homework assignment where I need to create a captcha to login to a 'comments' section.

I have the captcha working fine, no problem. We are also tasked with keeping count of failed attempts at the captcha. No problem.

Here IS my problem. We are told that the user is allowed to try as many times as he or she wishes, however, if they fail 5 times within a thirty second limit, they are locked out for three minutes.

I understand how to track 5 missed attempts, but how would you track the timing on this one? If the user tried 4 times in 15 seconds, and then waited for a minute (or less, obviously), the clock is reset, and they have 5 more tries. Furthermore, if they tried twice and waited 30 seconds, the attempts would try again.

Do I need to set a time cookie, a secondary count cookie (to go along with the original count cookie), and track the start of the secondary counter and just see if that counter increments to 5? How would you do this?

EDIT:

Have to apologize, apparently I was not completely clear on my situation. In this homework assignment, it is strictly stipulated we must use cookies to accomplish this task. We are not looking at best practice or security at this point, the instructor simply wants us to be comfortable with cookies. Unfortunately, session is not an option for me, I must use cookies.

Answer 1

Given you've tagged this as PHP, simply start a session with session_start(). That gives each user a unique ID via a cookie, and you can store their login attempts in the $_SESSION array on the server. At each login attempt, you can check the recorded attempts stored in the session and see if they exceed the allowable attempt rate.

Of course, the usual warnings hold: On a real security system, an attacker would be highly unlikely to maintain that session cookie over their many attempts - they'd ignore it, forcing a new blank session to be created each time.

Answer 2

I wouldn't do this in cookies at all! Users can circumvent this easily, making your system quite insecure.

You should log every login attempt in a database. Then, just query for attempts made within your specified time period when they try to login. If they have already tried too often, don't let them in.