Add two fields to the user's table: number_login_attempts and last_failed_login_attempt.

If the script performs a check of the u/p and it fails, then perform the following steps:

Check to see when the last failed login attempt was. If it was over two hours ago, then this is not really a brute force attack so set the number_login_attempts=1 and set last_failed_login_attempt to the current time.

Else, if it was more recent than two hours ago, then see how many failed login attempts there have been. If the number is less than four, then this is not the 5th failed login attempt so simply update the users table with number_login_attempts + 1 and set the last_failed_login_attempt to the current time.

Else, if the number of attempts was at 4, then this is the fifth and you should (A) pick a random string and set that as the new password, and ( email that password to the email on file for the user.

That's the basic logic. The author provided you the code so you should be able to make those mods.

On a higher level, though, changing someone's password isn't really normal and sending it to them via email isn't really the most secure thing in the world. (Packets can be sniffed, and email accounts can be hacked, or the user could be on vacation and his co-workers could simply sit down at his machine and check his email). Besides, a pest could irritate the hell out of someone by deliberately guessing their password wrong 5 times and making them change their password if they don't want to.

A more normal (and more secure) speedbump would be to let them try 3 passwords immediately, make them wait 5 mins before they could try the 4th, and make them wait a half hour before they could try the 5th. (The logic for that is: if the counter==3, then this is the 4th attempt. If the last attempt was less than 5 mins ago, then don't even check to see if the pw is right or wrong, simply tell them that they didn't wait long enough.)

Once they wait 45 mins with no failed attempts, then the bad password attempt counter goes back to zero.

Alright so i just then want the user to be kicked out for a period of time after failing 3 times. Here is my process file. How would I integrate the code from that link into here?

<?php
include("include/session.php");

class Process
{
   /* Class constructor */
   function Process(){
      global $session;
      /* User submitted login form */
      if(isset($_POST['sublogin'])){
         $this->procLogin();
      }
      /* User submitted registration form */
      else if(isset($_POST['subjoin'])){
         $this->procRegister();
      }
      /* User submitted forgot password form */
      else if(isset($_POST['subforgot'])){
         $this->procForgotPass();
      }
      /* User submitted edit account form */
      else if(isset($_POST['subedit'])){
         $this->procEditAccount();
      }
      /**
       * The only other reason user should be directed here
       * is if he wants to logout, which means user is
       * logged in currently.
       */
      else if($session->logged_in){
         $this->procLogout();
      }
      /**
       * Should not get here, which means user is viewing this page
       * by mistake and therefore is redirected.
       */
       else{
          header("Location: main.php");
       }
   }

   /**
    * procLogin - Processes the user submitted login form, if errors
    * are found, the user is redirected to correct the information,
    * if not, the user is effectively logged in to the system.
    */
   function procLogin(){
      global $session, $form;
      /* Login attempt */
      $retval = $session->login($_POST['user'], $_POST['pass'], isset($_POST['remember']));

  /* Login successful */
  if($retval){
     header("Location: ".$session->referrer);
  }
  /* Login failed */
  else{
     $_SESSION['value_array'] = $_POST;
     $_SESSION['error_array'] = $form->getErrorArray();
     header("Location: ".$session->referrer);
  }
   }

   /**
    * procLogout - Simply attempts to log the user out of the system
    * given that there is no logout form to process.
    */
   function procLogout(){
      global $session;
      $retval = $session->logout();
      header("Location: main.php");
   }

   /**
    * procRegister - Processes the user submitted registration form,
    * if errors are found, the user is redirected to correct the
    * information, if not, the user is effectively registered with
    * the system and an email is (optionally) sent to the newly
    * created user.
    */
   function procRegister(){
      global $session, $form;
      /* Convert username to all lowercase (by option) */
      if(ALL_LOWERCASE){
         $_POST['user'] = strtolower($_POST['user']);
      }
      /* Registration attempt */
      $retval = $session->register($_POST['user'], $_POST['pass'], $_POST['email']);

  /* Registration Successful */
  if($retval == 0){
     $_SESSION['reguname'] = $_POST['user'];
     $_SESSION['regsuccess'] = true;
     header("Location: ".$session->referrer);
  }
  /* Error found with form */
  else if($retval == 1){
     $_SESSION['value_array'] = $_POST;
     $_SESSION['error_array'] = $form->getErrorArray();
     header("Location: ".$session->referrer);
  }
  /* Registration attempt failed */
  else if($retval == 2){
     $_SESSION['reguname'] = $_POST['user'];
     $_SESSION['regsuccess'] = false;
     header("Location: ".$session->referrer);
  }
   }

   /**
    * procForgotPass - Validates the given username then if
    * everything is fine, a new password is generated and
    * emailed to the address the user gave on sign up.
    */
   function procForgotPass(){
      global $database, $session, $mailer, $form;
      /* Username error checking */
      $subuser = $_POST['user'];
      $field = "user";  //Use field name for username
      if(!$subuser || strlen($subuser = trim($subuser)) == 0){
         $form->setError($field, "* Username not entered<br>");
      }
      else{
         /* Make sure username is in database */
         $subuser = stripslashes($subuser);
         if(strlen($subuser) < 5 || strlen($subuser) > 30 ||
            !eregi("^([0-9a-z])+$", $subuser) ||
            (!$database->usernameTaken($subuser))){
            $form->setError($field, "* Username does not exist<br>");
         }
      }

  /* Errors exist, have user correct them */
  if($form->num_errors > 0){
     $_SESSION['value_array'] = $_POST;
     $_SESSION['error_array'] = $form->getErrorArray();
  }
  /* Generate new password and email it to user */
  else{
     /* Generate new password */
     $newpass = $session->generateRandStr(8);

     /* Get email of user */
     $usrinf = $database->getUserInfo($subuser);
     $email  = $usrinf['email'];

     /* Attempt to send the email with new password */
     if($mailer->sendNewPass($subuser,$email,$newpass)){
        /* Email sent, update database */
        $database->updateUserField($subuser, "password", md5($newpass));
        $_SESSION['forgotpass'] = true;
     }
     /* Email failure, do not change password */
     else{
        $_SESSION['forgotpass'] = false;
     }
  }

  header("Location: ".$session->referrer);
   }

   /**
    * procEditAccount - Attempts to edit the user's account
    * information, including the password, which must be verified
    * before a change is made.
    */
   function procEditAccount(){
      global $session, $form;
      /* Account edit attempt */
      $retval = $session->editAccount($_POST['curpass'], $_POST['newpass'], $_POST['email']);

  /* Account edit successful */
  if($retval){
     $_SESSION['useredit'] = true;
     header("Location: ".$session->referrer);
  }
  /* Error found with form */
  else{
     $_SESSION['value_array'] = $_POST;
     $_SESSION['error_array'] = $form->getErrorArray();
     header("Location: ".$session->referrer);
  }
   }
};

/* Initialize process */
$process = new Process;

?>

Alright so i just then want the user to be kicked out for a period of time after failing 3 times. Here is my process file. How would I integrate the code from that link into here?

It looks like you want to modify procLogin() and the session's login() function. Currently, your algorithm is:

Attempt login
If login failed
    Set error message
Redirect to $session->referrer page

You might use an algorithm along these lines instead:

Retrieve number of failed login attempts and locked out start time where the username and password matches the given user name and password
If there are no rows returned
    Set "invalid login" error message
Else if the number of failed login attempts greater than 2
    If the locked out period has not expired
        Set "currently locked out, please wait" error message
    Else
        Update number of failed login attempts to 0
        Set "invalid login" error message
Else if the number of failed login attempts is not equal to 0
    Update number of failed login attempts to 0    

Redirect to $session->referrer page

By the way, as they are now, those functions do not belong in a class, unless you turn them into static member functions so as to use the class as a namespace. Most of the variables you declare global within those functions should be parameters, with the possible exception of $session, which might still be better off as a parameter, or possibly a singleton implementing the singleton pattern.

Also, after you send a location header, you should immediately exit from the script. The URL of a location header should be an absolute URL.