Would require an extra roundtrip... Problem is that you get challenges with client side and solve it with server side. It's website who should go, get a challenge for you, put it in your session cookie and make sure you don't go and get another one. Which complicates it a lot
