in reply to Securing Web Apps.

It does not help security that much in having JavaScript on the client calculate the hash. The SSL protects the username and password from going across the wire in the clear. The client JavaScript is fragile and browser dependent.

If you aren't using SSL and the challange is not randomized for each client, then you are vulnerable to replay attacks. The attacker can send the sniffed token and login like a normal user without having to know the password.