Many sites nowadays use AJAX to let users login.
However there is a (I think) huge security flaw with this design.
If the login failed the username/password has been used in a request made to the server.
If for some reason the user walks AFK at this point a malicious user can view the request that has been made by the user (firebug / devtools).
Is this correct?
Is there something we can do about it (don't think so)?