How to secure CWP when working with Javascript and AJAX?

Hello, everyone.

So, recently I've been doing a fair bit of work on some custom web publishing for my company. Now I've gotten to the point where I no longer want to use my default test account that automatically logs in (hard coded username and password in my PHP files (no, this is not live yet)). I would like to start working on a login page, but I'm not sure where to start with my solution.

Here's the problem. My CWP often uses AJAX to perform the calls to FM Server. As such, the PHP file that actually connects to the server is never located on the client devices. I need the clients to be able to log in (to verify they have access to our system), then be able to send those credentials many times per day to the AJAX file so it can log in as them and perform the command. However, I don't even know where to start to do this.

I definitely don't want to store and send their passwords in plain text. This would technically work, but why would anyone do that? So I need to encrypt them somehow, and it needs to be done in a way that the AJAX file can then decrypt them in order to get the credentials. But my problem with this is that the ecrypted password basically just becomes the user's password. Now if someone gets the encryped password, they could just as easily send it to the AJAX file, where it's decryped and run as normal.

So apparently I have to do something with the password on-the-fly to prevent this? But what? I'm at a complete loss for how to do this sort of thing. Do we have any security experts here that might be willing to give me some insight? Is there a big (or little) PDF that's already explained all of this and I've just overlooked it? Is Obi-wan Kenobi my only hope?

Thank you in advance for any help on this.