I have a login page for which users and their passwords hav been updated in database. If a user continuously enters invalid password 3 times then im displaying an error message and blocking the user. when i enter another user name the error message continues to be displayed.

btw, im using session to store the username and count to check if invalid password has been entered thrice.

Can anyone help me out with this? Thanks in advance

You're probably using ASP.NET, but with old classic ASP I would reset "login count"-session back to zero after the message box has been shown: Session("LoginCount") = 0 . Now the user would have three login attempts again.

I'm not sure how using session to store the invalid attempt count works, but it's sounding like a DoS waiting to happen. What if I (not legit user) want to stop you (legit user) from accessing your account? I guess I could try three times to get your password (and get it wrong). Then you (legit user) will be locked out of your own account :icon_eek: