I have a login system requiring a username and a password. I want to display a captcha after a certain amount of failed login attempts. What is the proper way to implement this? I've read around on this site and some solutions suggest having a 'failed-attempts-count' added to the users table. However, I need the failed attempts to not be tied to a certain user - i.e. I'd like the captcha to be displayed regardless of whether or not the username that was entered exists in the system. Would storing this in a session variable be ok (I am using PHP)? If so, is there no downside to just throwing data as needed into session variables? I already have any a session id for every visitor on the site (either logged in or not) so I could create a table that relates login-attempts to this session id...any ideas on what the best / most secure approach is? Thanks.
Update: from the answers thus far, it seems like session ID is not the best idea since the hacker could simply clear his/her cache (but is this really an issue because wouldnt this slow down the brute force attack enough to render it useless?). The other option is by IP...but I am hesitant for users under an intranet or proxy since failed attempts will be shared....I can't really think of any other methods..can you?