Since the main point of doing this is to slow down bot scripts, which won’t likely propagate a session, using the session to record the state won’t do anything.
If someone/something triggers the attempts per time limit, just enable a captcha, for both the login attempts and any username/password recovery. This will further limit bot scripts, while allowing a legitimate user a way to continue. If a legitimate user fails to login after a reasonable number of attempts, they should make use a username/password recovery option, rather than to keep trying to log in.
Whatever you do, don’t allow a login attempt failure to kick out a legitimate, already logged in, user.
BTW - in your existing code, upon successfully logging in, the only user information you should store in the session is the user’s id, and it should be named something like user_id (there are many different things that have ids, so, naming the session value id, is a poor choice.) You would then query on each page request to get any other user information. This insures that any changes made to the user information, such as permissions, will take effect on the very next page request.