Currently it is possible to lock out users with a script that automatically does 3 incorrect login tries every five minutes. To avoid this security problem, I would like to add that after 3 incorrect login tries a recaptcha is also needed before a full login attempt can be done. I have a workaround to count the number of previous login attempts. link. With this I plan to make a non persistent login object which contains the Mendix recaptcha widget and in the background logs a user in using a java action. My alternative plan of adding the recaptcha javascript into the loginwidget of mendix will take me to much time. The mendix login java method is not working. The user stil stays stuck as an anonymous user even though the session is created correctly withing the java action. Even refreshing does not work. The logged in session does not seem to get linked to the browser. Does anyone have any suggestions on how to get the login action to work?