For single application session:
Keep a class level integer that holds number of tries. On each failure increase this number by 1. When 3 tries are over, lock the account in database and add a condition do display appropriate message.
For multi-session:
On each failure, update failed attempts in database for the user. If this number goes above 3, display account locked message.
Update: Here is an outline on how to implement this. It is in C# but logic remains same in VB as well.
In single application session:
private int _failedAttempts;
protected void LoginButtonClick(object sender, EventArgs e) {
if (success)
{
}
else {
_failedAttempts++;
}
if (_failedAttempts == 3) {
MessageBox.Show("Your account has been locked out.");
}
}
Multiple session:
private int _failedAttempts;
protected void LoginButtonClick(object sender, EventArgs e)
{
if (valueIs3)
{
MessageBox.Show("Your account has been locked out.");
}
else
{
if (success)
{
}
else
{
_failedAttempts = failedAttemptCountValueFromDatabase;
_failedAttempts++;
}
if (_failedAttempts == 3)
{
MessageBox.Show("Your account has been locked out.");
}
}
}