In terms of vulnerability to attacks; both methods would be the same. An ajax request is the same as a postback, but it is done through javascript and as such only a small portion of the page needs to be updated/reloaded as required.
For you issue; If the user is not permitted to make multiple attempts simply register the first response as final. If they are permitted multiple attempts; then limit the total number of attempts they can have.
If neither of the above is an option, then the user can always brute force.