Where is the user information stored?
For a database, add a column to flag the account as locked. Keep a tally of the failed tries in session while the user is attempting to log in. After the 3rd failed attempt, update the database with the lock flag set. Do you want the lock to expire? Instead of stored a simple flag (bit) store a timestamp. Determine what your timespan is for account lockout, and set/check the timestamp accordingly.