I'm working on an auth system with login failure.
If the user fails to login, the attempts number in database is incremented and if a defined limit is reached, PHP sets a session captcha variable to true.
So when the user (or spam bot) gets the login page again, a captcha form is shown thanks to the session variable

But since Spam bots could eventually delete the session cookie and retry, this may be not effective.

Should I use a database solution instead ? How would you implement this (with/or without the database) ?

Spam bots can get around session restrictions fairly easily, so it would have to be done in the database to be effective. Spam bots can also change their IP address each request, although this is harder to achieve.

You'd have to put a login attempts field in the users table that starts at 0, increment this when they get the password wrong, and reset it to 0 when they log in successfully. When someone tries to login as a user with login attempts > 5 you would then take them to another page with the captcha which they must enter correctly (even if the password was wrong).

I would simply record the user's session variable and then count how many times the form is submitted for an IP address.

From my point of View just take username when he attempt to login on your PHP page if he/she fails to attempt then store the username in Login_attempts tables and its IP address also. Increment the failed attempts column and check whether it is greater than threshold value of yours let say 5 and if it failed then add captcha to it and also check side by side IP is not changing with each attempts with certain time interval let say for 1 min IP address should remain same if it fails then fail the login attempts.

For best use NOSQL or memcache to retrieve fast data from database.