Curious why you're not POSTing over SSL for /login?
<form class="signin" method="post" action="/sessions"> <div style="margin: 0pt; padding: 0pt;"> </div> <input id="authenticity_token" type="hidden" value="7a401eeee566e00cff4abe1cba6ed4c70bf52d37" name="authenticity_token"/> <fieldset class="common-form standard-form"> </fieldset> </form>