How to track login attempts using HttpSession in Java?

I have a no-framework web application. I need to implement a simple way to check unsuccessful logins, using sessions. If the user attempts to log in 3 times using incorrect username/password combination, they will be given a 20 minute timeout before they can try logging in again.

Currently I only set a user session if the user successfully logs in to the system. However, it seems that I should get a session in case of unsuccessful login also, and count the login attempts somehow.

Login.jsp (simplified version):

<form name="loginForm" method="post" action="CustomerData">
User name:<input type="text" name="userName"/>
Password:<input type="password" name="password"/>
<input type="button" value="submit">

CustomerData.java (simplified version):

// See if customer is a valid user
        String selectQuery = "Select firstName,lastName,email from customer where userName='"+userName+"' and password='"+password+"'";
        selectResult = statement.executeQuery(selectQuery);

if(selectResult.next())
{
    // We got a valid user, let's log them in
    ....
    HttpSession session = request.getSession(true);
    session.setAttribute("customer", customer);
}
else
{
    // this is where I need to get the session id (??),
    // count the unsuccessful login attempts somehow, 
    //and give them a 20 minutes timeout before they can try logging in again.

    request.setAttribute("message","Invalid username or password. Please try again!");

}

While doing research, I found that there are a lot of built-in security features for various Java frameworks. I also found that using sessions is not the best way to track login attempts, because the user can log-in with different browsers. However, I'm creating this functionality for a simple web project that will never go to any production environment. I would like to know how to implement this functionality using the Java HTTPSession Object.

Ok, here is my full solution, based on the feedback I received. I'm posting this in case it might help others with similar issues:

// See if customer is a valid user
String selectQuery = "Select firstName,lastName,email from customer where userName='"+userName+"' and password='"+password+"'";
selectResult = statement.executeQuery(selectQuery);

        if(selectResult.next())
        {
            // We got a valid user, let's log them in
            Customer customer = new Customer();
            customer.setFirstName(selectResult.getString("firstName"));
            customer.setLastName(selectResult.getString("lastName"));
            customer.setEmail(selectResult.getString("email"));
            customer.setUserName(userName);
            customer.setPassword(password);

            // establish a user session
            session.setAttribute("customer", customer);
            session.setAttribute("firstName", customer.getFristName());
            url = "/index.jsp";
            selectResult.close();

        }
        else
        {
            int loginAttempt;
            if (session.getAttribute("loginCount") == null)
            {
                session.setAttribute("loginCount", 0);
                loginAttempt = 0;
            }
            else
            {
                 loginAttempt = (Integer) session.getAttribute("loginCount");
            }

            //this is 3 attempt counting from 0,1,2
            if (loginAttempt >= 2 )
            {        
                long lastAccessedTime = session.getLastAccessedTime();
                date = new Date();
                long currentTime = date.getTime();
                long timeDiff = currentTime - lastAccessedTime;
                // 20 minutes in milliseconds  
                if (timeDiff >= 1200000)
                {
                    //invalidate user session, so they can try again
                    session.invalidate();
                }
                else
                {
                     // Error message 
                     session.setAttribute("message","You have exceeded the 3 failed login attempt. Please try loggin in in 20 minutes, or call our customer service center at 1-800 555-1212.");
                }  

            }
            else
            {
                 loginAttempt++;
                 int allowLogin = 3-loginAttempt;
                 session.setAttribute("message","loginAttempt= "+loginAttempt+". Invalid username or password. You have "+allowLogin+" attempts remaining. Please try again! <br>Not a registered cusomer? Please <a href=\"register.jsp\">register</a>!");
            }
            session.setAttribute("loginCount",loginAttempt);
            url = "/login.jsp";

        }

        RequestDispatcher dispatcher = getServletContext().getRequestDispatcher(url);
        dispatcher.forward(request, response);

This is a very good start, but not fully functional. loginAttempt cannot be assigned to an int, it is an Object. Should it be cast to an int? Also, how do I set a timeout for the user so he/she is allowed to start trying again in 20 minutes? Do I use session.setMaxInactiveInterval?

I stated here, what if I want to count the number of attempts of the user for login requests.

You can use session.getLastAccessedTime() and compare that time with the current system time for the interval validation

Great, I will do that. Thank you!

This "solution" is not robust enough. Hackers can still circumvent this by simply not sending the session cookie which thus appears as a fresh new session in the server side everytime.

@BalusC Hackers can break any solution which you provied, BTW I have given the solution which is questioned here.

Huh? I didn't provide any solution here.

@BalusC I am talking abt myself

@BalusC I agree this is not a robust solution. However, I wanted to see how login attempts can be tracked and implemented using sessions. Thank you for your input as well.

@BhavikAmbani Thanks for all your responses. Extremely helpful! I developed my solution based on your feedback, and posted it above. It works well for the purpose I needed it for.