In order to pass the query params, you need to put them in as part of the URL like you would for a GET request. Like so:

<%= link_to "Click Here", "/login?username=testuser&password=moojuice", :method => :post %>

or alternatively if you are using Rails route helpers

<%= link_to "Click here", login_path(:username => "testuser", :password => "moojuice"), :method => :post %>

I’m not exactly sure based on the original question if you will be using this link in the same Rails application as the one you are logging into. If you aren’t, there is one other slight gotcha. When posting from an external site, Rails is going to most likely ignore your request because you will be missing the CSRF token that Rails automatically generates when you loads a page. In order to accomplish this, you’re going to have to put a protect_from_forgery method call in the controller that handles your login. Assuming your /login route maps to the SessionsController action create:

class SessionsController < ApplicationController
  protect_from_forgery :except => [:create] # Need this to ignore CSRF token
  def create
    # Login logic
  end
end

That being said, I wouldn’t suggest removing the CSRF token because this will make your application less secure. I would suggest just implementing a special action in your SessionsController that just logs them in to their own Session like so:

class SessionsController < ApplicationController

  def create
    # Login logic
  end

  def demo_account
    # Logic to create session for demo account
  end
end

This way you can just forget about a link that does the POST request and just have a GET route that maps /demo_login to SessionsController‘s *demo_account* action. This would additionally allow this link to be used anywhere as opposed to just in your application (like in an email as one of the previous commenters @allaire suggested). But if you want it to work from a link in your Rails application, then just ignore the part of my answer about the CSRF token.