how are you going to layer your application?

IMO a reasonable way is to have the upper layer (the user layer) only be aware of yes or no and the lower loayer doing all the work.

It also depends on what you're trying to achive. do you want real time IDS? or do you want auditing?

I wrote a system once that performed NRT IDS. The approach i used was the upper layer saying yes or no, the lower layer deciding if the login was right or wrong and logging the attempts, and a seperate daemon that would poll the database to determine if this was a brute force attack (by our definition, eg n attempts in a set period).

If all you want is auditing, then pump you yes/no requests into a logfile and parse it separately...

To prevent people from hammering, your validation methods would parse a logfile, db, or mem cache before it validated the login attempt to see if your threshold of 'hammering' was met.

You could even go a step further, and daemonise your authentication process, making that process accessable to other systems, and so it could authenticate against various systems using parameters.... Take it a step further, use an XML (TCP) based transaction with XML::Simple and you've got a real cool, extensible, centralised authentication system capable of meeting whatever requirements you come up with.

I am the feature creep, I come from round your way...