1) A typical Login Screen of an application, ID locked for wrong passwords when more than three attempts.
2) The attempt cannot be stored in session, because user might use multiple browsers in same or different machine.
3) I don't want to persist the count in the database since one would have to reset it after 24rs or so.
What is the best way to do this?
You'd probably want to use IP address to track incorrect login attempts.
If you are looking to see if someone is trying to brute force a password, then use IP.
If you are trying to lock out users who forgot their password, do it by user name.
You can persist the date of last correct login, date of last wrong login and count of wrong logins in a row.
The "lock" would happen automatically if count exceeds 3 and the last wrong login was in last X minutes. That way you don't have to reset anything just to compare dates ;)