if (session id present && session id valid)
{
        Let them in, irrespective of whether their IP is in the penalty box
}
elsif (session id present && session id invalid)
{
       Penalize them
}
elsif (ip address in penalty box)
{
       Penalize them further # (No session id present and they're already in the bad books.)
}
else
{
     Check their username/password details and penalize them if necessary. # No session ID, not currently in the penalty box.
     
}