Here's something I've been trying to solve semi-actively for weeks now. If you like challenges, please read this through, even tough it's a bit on the long side.
We have two webmail servers with different login pages neither which I can administer/edit. Both sites authenticate against the same LDAP database using the same user credentials. The username and password variables you pass via POST in their login form are different (ie. username vs user and password vs pass). On top of that both use Apache Basic Authentication (yep, makes you write your username and password two times).
Now the fun part is that I do administer the proxy in front of both systems. So for the user it seems like your just going to https://webmail.company.com/system1/ or https://webmail.company.com/system2/ but you're really hitting different servers. The proxy actually handles the mentioned Basic Authentication.
What I would like and am trying to do is a PHP page sitting in https://webmail.company.com/ where you enter your username and password and select the system you want to use from a dropdown list and it would throw you to your preferred system. On submit it would pass the credentials to Apache's BA and pass the same credentials with correct POST variables to the webmail system the user chose.
I've explored three different solutions so far:
Method 1: Pass credentials to URL
My most successful try was to have a web page that submits the main login form to https://username:password@webmail.company.com/selected_system/ also modifying the username and password variable names to correspond with the selected systems. This method used javascript (not much to do with PHP).
This method had two side-effects. First IE showed the username and password in the URL in plain text unless you modified the registry somewhat. Mozilla and Opera worked just fine, but every now and then asked for the BA anyway (nothing to do with sessions expiring).
Method 2: Use BA on the login page
A working but somewhat unsecure method was to use BA for the central login page. Then read the BA credentials with PHP and use those in hidden fields on the form where you had only the dropdown list.
This method also had two side-effects. The username and password got stored in the browser cache which you could see by going back and reading the source.
Method 3: curl / fopen / iframe / etc...
I also tried to make my proxy talk to the backend webmail systems and pass the data to the user with several different ways. This obviously was a total catastrophy and a desperate attempt I just had to give up after too many problems that I couldn't anticipate.
Anyone tried anything similar with any luck? Could BA be replaced completely with a login page or could it be passed from a webpage somehow? Is there any way to securely submit the BA information to another URL and modify the POST variables in the process? Can anybody help me out here please?
I tried googling but couldn't come up with a good search phrase which wouldn't give me a load of generic how to write your own login page hits.
