From a quick glance that code looks pretty good. Here's a little constructive criticism:
I really hate when people use php alt syntax outside of a view, I would recommend changing that for uniformity.
Also, some of your logic could be simplified, for example the is_user_banned() method should return FALSE by default and then the only additional return statements you need are when you're returning TRUE.
If I was using this I would integrate it into the login() method as well so your controller code doesn't change.[/quote]
I've done a similar check, but purely added it to the login script.
If an email address enters a wrong password it adds 1 to a field in the user table. once it hits 4 a check in the log in code before the check email, and get password, checks first the number of bad log in attempts. If it's 4 it stops the script, therefore not getting the password and ignores any further attempt to log in.
So if you try for a fifth time you just straight away get sent to a account locked page. No time limits e.t.c.
Stops brute force I guess?
I also implemented crypt on the salt to make it stronger???
Tell me if I'm wrong!!!
