That will work as long as I am willing to put the password in the query-string (html PUT) unencrypted and un-encoded.
Another option I think can work, is not redirecting just the page auto.htm (but a request to that page should create new session even if he had one before) and I can add a auto.htm page in the html folder and post the login form on that page using javascript so the user kind of gets logged in automatically.
The best and most secure option (so that we don't have to expose the users password admin/other) would be to have some encryption key in the pbx (that is not exposed in the admin web ui but only in the bpx.xml file (or another file that wont get exported with the configuration export for extra security) since there can only be one admin user and this shouldn't be exposed to all admin users). So to auto login the user from a custom application I can send the user to a url with something like this http://pbx/auto.htm?auth=RW543tfw45tads54G...eg_settings.htm (auth might have to be url encoded)
The auth filed will be an encrypted string that has in it the password and an expiration time or even better the time the key was generated (and maybe also the users IP address) this will allow the user to login without exposing the password to the user and to hackers, and will make this auth key worthless after a few minutes from anywhere and non accessible from other ip's right away.
(To make things more complicated and secure you can use public/private key encryption but I don't know if this is necessary)
Thanks,
Yitzchok