Limiting login tries to protect from BFA's

I have implemented a login system where after 3 unsuccessful tries (using $_SESSION variables) a cookie is created on the user's computer which expires in 10 minutes. Now I know this is certainly not sufficient, as they can just delete the cookie. Now, what I want to know is, when I implement a table to capture incorrect logins via IP's & username combos, when does this table get cleared? When the user successfully logs in after the block time has expired?

Let's say this table get populated with a 1000 entries, how do I automatically clear this开发者_运维知识库? What is the structure of the table?

I propose this:

4 fields: ID, IP, username (which will be their email address), block_time (time user can log in again)?

You can create a record after first unsuccessful login, and remove it after login succeeds.
The second approach would be creating "modified" column, and cleaning it using some php-cron script.

INSERT INTO user_logins(user_hash, time) VALUES(?,?)
ON DUPLICATE KEY UPDATE time = now()

of course, your primary key would be user_hash.