What about something like:

if (session id present && session id valid)
{
        Let them in, irrespective of whether their IP is in the penalt
+y box
}
elsif (session id present && session id invalid)
{
       Penalize them
}
elsif (ip address in penalty box)
{
       Penalize them further # (No session id present and they're alre
+ady in the bad books.)
}
else
{
     Check their username/password details and penalize them if necess
+ary. # No session ID, not currently in the penalty box.
     
}
[download]

I think this covers all scenarios.