ok. That’s funny. I was logged in but didn’t know it!
A response such as redirect to the root page would be less confusing for a new user.
For best security, it could happen after a time delay.
Another security issue here is that the password entry field is a plain text entry control with all the consequent behaviors of that such as browser revealing the text, recording history, etc.
But anyway, without an SSL connection, at least during login. bypassing any security measures is trivial using simple packet capture and replay. Without SSL, this issue exists even when using private keys and tokens. To workaround this problem an SSH tunnel (or whatever other encrypted tunnel) would be needed to secure traffic with the server.