You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie.
Another solution maybe is to get the user's IP address from the request Header and add it to a list of invalid IP address with their times of entry. Then upon a new request, you will have to check the list and determine how long ago the IP address was added. I'm just brainstorming here so anybody can criticize these suggestions freely. -Jonathan -----Original Message----- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Login Security I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks