I am showing you steps that you can implement.
1. set your session['counter'] to 0 at page_load
session['counter'] = 0;
2. First verify user password is correct or not using this query
string sql = "SELECT COUNT(*) FROM UserMaster WHERE UserName = '" + strUserName +"' AND Password='" + strPassword + "'";
int retValue = executeQuery(sql);
3. If return value is 0 then increment your counter by 1
session['counter'] = Convert.ToInt32(session['counter']) + 1;
4. check session['counter'] value is grater than or equal to 3 then make user as locked.
if (Convert.ToInt32(session['counter']) >= 3) {
string sql = "UPDATE UserMaster SET isLocked = true WHERE UserName = '" + strUserName +"'";
executeQuery(sql);
}
this is algorithm you have to correct the code.