How to lock user account when user attempt 3 times for login


I am developing jsp/servlet web application.
I have coded for login and it is successful.

But Now i want to do code for particular user is going to log in.
But his id/password is wrong then he is retrying.
upto 3 times he will try for login.
after that, that particular user can not login for some time.
means for specific time his account will locked.

How can i do this CAN ANY ONE GUIDE ME?
If any one have any example than let me know.


My product has a prov_user (Provisioning - User) table that contains a record for each user allowed on the system. Among other items, the record contains the user’s login ID, encrypted password, user state (Enabled, Disabled, and Suspended), user state change time stamp, and an invalid password count. Normally, the user state is Enabled. I have a web page which allows an administrator to Disable or Enable users. A value of Suspended means the user is temporarily prevented from logging in.

When the user logs in successfully, the code sets the invalid password count to zero. When the user provides an incorrect password, the code increments the invalid password count. After three consecutive failures, the code sets the user state to Suspended and sets the state change time stamp to the current time. Should the user provide the correct password while the state is Suspended, the code checks how long the user has been suspended. If the user has been suspended for at least 5 minutes (you may want to use another time interval), the code sets the state to Enabled, sets the state change time stamp, sets the invalid password count to zero, and logs in the user. Otherwise, the code tells the user that their account is temporarily suspended and to try again later.

Hope this helps…

mike’s solution sounds good. Definitely, have a admin page to enable the user.

I would recommend using a user_login table that records each and every login. Which user, from where (ip address), what time and if the user was successful or not.

I would then use a query to figure out if the user is a allowed to login or not based on that query.

That way you don’t have to worry about updating state on a table all the time.

If you don’t want to have to record the thing in the database, just put the user name into a session scope (or perhaps a static map). This might be easier than putting it in the database.


Ok i have done it through session.


Just FYI, there maybe a security requirements which may not work with Session. For example, let say there’s a hack who’s trying access user “abc”. He can easily retrieve new session and keeps on trying. So, just consider this fact when it’s for a real project.

Agreed. You’ll have more control if you store “user access attempts” in DB.


Ok so i would do that through database.

Thanks friends for guide me.