I have a Sencha application running on one server and a back-end web service running on a separate server which provides the Sencha application with it's data as well as authentication. Both servers are secured with HTTPS.

I originally had my Sencha app using just JSON to communicate with the back-end, but it meant having to keep both servers on the same domain. Ajax calls do not allow cross-domain communications.

As an aside, you can actually allow cross-domain communications, but it seems mobile browsers do not support it. See here.

When using JSON, I did a HTTP POST to the back-end server to handle authentication with the username and password in the HTTP header. However, it's not possible to do POST requests using JSONP, so how does one go about sending the username and password to the back-end?

I could of course just do a GET request and have the username and password in the URL but this is surely a big no no since the URL is still sent as plain text even on a HTTPS connection.

So I am looking for a bit of direction on how to go about this. I am sure this is something that has cropped up previously. Perhaps I have no choice but to have both applications running on the same server?

Any advise would be great.

Thanks