you can do this using the set session value server behavior of cookies toolkit.
1) you will need to initialize the session 0 if it does not exist:
On the server behaviors panel, click the plus button and select WA Cookies Toolkit -> Set Session Value.
Trigger: If Session Variable is not defined
Name: loginCount
Value: 0
2) Incerement the session on login attempt:
On the server behaviors panel, click the plus button and select WA Cookies Toolkit -> Set Session Value.
Trigger: Any Form Post
Name: loginCount
Value: click the lightning bolt, and select the loginCount session. The code added will look like:
<?php echo $_SESSION['loginCount']; ?>
change it to:
<?php echo $_SESSION['loginCount'] +1; ?>
this will add one every time the login form is posted.
3) create a new rule to check the login attempts:
Go to Modify -> Securioty Assist -> Access Rules Manager.
Create new rule:
Name: Max Logins
Conditions: check Allow
Value: Click the lightning bolt and select the loginCount session
Criteria: <
Compare to: 4
4) add the access rule to the login page.
Go to Insert -> WebAssist -> SecurityAssist -> Page Access
select the Max Logins rule.
after the page access rule is applied double check in code view that the session code is before the page access rule code