Neil Kandalgaonkar wrote:
I added a comment to the talk page.
http://www.mediawiki.org/wiki/User_talk:Akshay.agarwal
Long story short, we had this discussion in IRC... some people find the
concept of AJAX login really alarming from a security perspective, but I
think there could (COULD) be some ways to compromise there. There is a
little-used concept called Digest Authentication that we could implement
in Javascript.
Using AJAX is not more insecure than normal login using POST (which
should be kept for non-js clients). You just need a begin request before
the one that transmits the credentials.