Limiting user login attempts in PHP

Question

I\'ve seen web apps with limitations for user login attempts.

Is it a security necessity and, if so, why?

For example: you had three failed login att

Answer 1

I reckon putting a 'failed attempts' counter in the DB would be the safest and easiest way to go. That way the user can't bypass it (by disabling cookies). Reset on successful login of course.

You can count by IP and/or by username. Advantage of IP is that you can block one person trying to hack multiple accounts. If you count by username you can block people using a server farm and won't accidentally throttle people on the same network.