I am not sure i follow your question this time. Each failed attempt to login is logged in the session and in the db. (db regenerates session if scrupulous individuals drop the session as a work around). When we need to get the attempts to count them, we only count the number of attempts that are within a certain time limit, any attempt older than the time limit is not included in the array we return and use to count. Once a block has expired, all of the failed login attempts will be too old to be included in the check so we don't need to worry about them anymore and they shouldn't be included in the session upon the next successful login.