Actually, it’s gotten so messy that I’m not even sure curl is the culprit. So, here’s the php:

$creds = array(
    'pw' => "xxxx",
    'login' => "user"
    );

$login_url = "https://www.example.net/login-form"; //action value in real form.
$loginpage = curl_init();

curl_setopt($loginpage, CURLOPT_HEADER, 1);
curl_setopt($loginpage, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($loginpage, CURLOPT_URL, $login_url);
curl_setopt($loginpage, CURLOPT_POST, 1);
curl_setopt($loginpage, CURLOPT_POSTFIELDS, $creds);

$response = curl_exec($loginpage);
echo $response;

I get the headers (which match the headers of a normal, successful request), followed by the login page (I’m guessing curl captured this due to a redirect) which has an error to the effect of “Bad contact type”.

I thought the problem was that the request had the host set to the requesting server, not the remote server, but then I noticed (in Firebug), that the request is sent as GET, not POST.

If I copy the login site’s form, strip it down to just the form elements with values, and put the full URL for the action, it works just great. So I would think this isn’t a security issue where the login request has to originate on the same server, etc. (I even get rid of the empty hidden values and all of the JS which set some of the other cookies).

Then again, I get confused pretty quickly.

Any ideas why it’s showing up as GET, or why it’s not working, for that matter?