if more than 3 wrong submit, show captcha

Question 1

Create a column in your users table named login_attempts. The column increments on each failed login attempt, and resets on successful login.

The basic structure could be as follows:

+-----------+------+------+
|  user_id  |  ip  | date |
+-----------+------+------+

To check the number of login attempts, you can use query like below:

SELECT count(ip) AS failed_attempts
FROM login_attempts
WHERE ip = $ip
  AND date < (NOW - INTERVAL 24 HOUR)

Now, in your PHP code, you can check if the value is greater than or equal to 3, and display the captcha if so:

if ($data['failed_attempts'] >= 3) {
    // display captcha...
}

Question 2

The whole point of captcha is to prevent robots accessing your site (password cracking etc.).

Sessions use cookies. So to thwart your system all the robot has to do is not send the cookie thereby your server thinking it is the first login attempt and therefore not requiring a captcha. This will enable the robot to try as many times as it likes.

So the answer is yes via sessions but you undermine the whole idea of captcha.

Question 3

You may try this way....

<?php 
    $_SESSION['wrong_pword_count']=0;

    if($stored_password != $provided_password){
        if($_SESSION['wrong_pword_count']<3){
            $_SESSION['wrong_pword_count'] = $_SESSION['wrong_pword_count']+1;
        }
    } else {
        $_SESSION['wrong_pword_count']=0;

    }

    if($_SESSION['wrong_pword_count']>=3){
        echo "Show captcha here";
    }