Now, I understand that I could simply use SSL and this would be much less of an issue. And if it comes to it, I could SSL the logon process (or more likely the entire site to protect the session cookie and identifiers) to get around this.
As such, while I am really keen to move to XF, I feel this is a major stumbling block for us. I can't bring myself to step back and expose our users to this risk, and do so with a good conscience. Sure, I can use SSL as I mentioned before, but this isn't ideal for everyone.
So the suggestion? Is something like http://wordpress.org/extend/plugins/semisecure-login-reimagined/ feasible in XenForo? Worst case, I'd have to buy a licence, and look at trying to plug it into the authentication framework, but I'd prefer to not be buying the software and then immediately starting to adjust something as fundamental as the login system, before it was able to be used. I don't know if my PHP knowledge would be up to it, having been used to modifying vB before, which I'm more familiar with... Also, would this be something involving edits to "critical" files, or could form an "addon"?