A standardized formulation of the UserID and session token would fix that.
We could actually just use the existing HTTP Auth protocol and provide end to end security.
This uses a challenge and response between server and client -- It's used on password protected pages and calls up that browser popup. I'll link to a protected page of my own so you can see it.
This has the benefit of coming up OUTSIDE the browser page, so that it's potentially far less spoofable when paired with a "remember account" system as in all major browsers. A spoofed page wouldn't be remembered and wouldn't auto populate. Hint: if you are typing in a login on a browser page, it's too late. You need to put in your password BEFORE the page ever comes up if security is requested.
The client and server could exchange nonce values, perform the HMAC( password, nonce1+nonce2 ) = A1; or similar to create the A1 proof of knowledge. Now, instead of using A1 i