i have a finishing touch for my login form and want to set a 2 second timer in between invalid logins.
I had two different ideas, one would be to set a cookie that expired in X amount of seconds. Then on login, check if there is a cookie set.
I am not sure however if a user can refuse to let a website set a cookie? So this could be got around.
The second idea is new DB table with the fields 'IP' and the time of invalid login.
On invalid login, a field would be created with the users IP and then the time. Upon logging in i would check this table for a matching ip and if the login time is less than X amount of seconds it is refused.
But this could be also got around using IP proxies etc?
The aim of doing this would be to prevent DDOS brute force attacks, and im guessing someone trying to do this would be quite aware of how to fake an IP / disallow cookies.
What is the best way for this?
DDOS has nothing to do with it. DDOS = Distributed denial of service, it means someone will trigger a lot of computers to ask for a service in your website and your server won't be able to handle the load. This will prevent your server to give a service for "honest" users and that's why it's called "denial of service".
Preventing DDOS attacks can be tricky. The only way of handling it, is not providing a service to certain IP's or users with IPs from the areas you're being attacked from.
If you want to protect your site from brute force attack (assuming someone wants to hack into a user account) you should: