Guys I have a simple customer login page in ASP.net (C#) which has 2 textboxes and a button, one for username and the other for password and button for submit.

Upon pressing submit, the password textbox text is encrypted and then compared with the encrypted value of password already stored in DB.

Now what I want to do is, upon each unsuccessful login attempt, it should display a message like "x tries remaining out of 5". When all 5 tries are used, it should ban the user's ip for 1 hour.

How should I approach this? I am pretty new to ASP so I have no idea on how to get user IP and then block it for 1 hour. After 1 hour has passed, the ip should be unblocked automatically.

Any help will be appreciated.

P.S I am not looking for anything much complicated. I am new to this so something complicated will not be in my grasp.

You should log failed attempts to a table, when the number of rows in that table exceeds the failed number of login attempts you should display an error message to say the user is locked out.

When the user has regenerated their password, remove the records from the table.

Sorry, just saw your other request for the IP address. In a web application you can use the following property from the HttpContext:

HttpContext.Current.Request.UserHostAddress