I have a login form that sends the request through ajax to a "process login" script. Now if the user is successfully authenticated he/she
will be redirected to "protected pages". If the user fails to login, for some reason, the server returns different message depending on whatever
failed to authenticate the user. In this case, the page is not reloaded.
Right now someone could hit the submit button X times without being stopped, sending X number of requests to the server. Now i somehow want to stop this, allowing, say max 5 attempts a minute. I initially approached this problem by setting a cookie for the user, but cookies are easily disabled\manipulated. So i used sessions, which in theory stops the user until he\she restarts his browser. I used mySQL to record the user IP and session id but learned quite soon that this could quite easily be spoofed as well and now a malicious user could be flooding my mySQL server with requests\queries.
So what is really the best approach? I'm not running a top secret goverment project here I'm just more looking to stop the average script kiddies from making use\abusing my website, so no superflous suggestions please
Thanks in advance
/Daniel