Which would be the more efficient way to limit the number of login tries to a password protected website:

1. Using cookies (can't the hacker just erase cookies on his machine to get around tis)
2. Generate a text file with the hackers $ENV{'HTTP_REFERER'} and count the number of tries

Is there a better way or does anyone know of a snippet to take a look at?