My organisation uses MWG 220.127.116.11 which is hosted by an external service provider. The system is shared across several agencies which limits the way we can use some features.
For my organisation we primarily use NTLM authentication so it's transparent for our Windows computers that are on our Active Directory. This has worked well for a while, however we are becoming more device agnostic, so are having to cater to a wide range of devices. We don't want to lose the simplicity for Windows users, but need to get rid of the incessant credentials prompts on devices like iPads, iPhones, etc.
So what I have done is add a rule set above our NTLM authentication that produces a login form if you visit a fictional domain (in our case, auth.doe was chosen). If you successfully authenticate it adds relevant information to PDStorage with a 2 hour lifetime. This PDStorage is then checked in the main authentication rule set. I chose to change the normal webform template to use PDStorage due to some strange authentication quirks when using the IP Database and to also allow the end user to visit http://auth.doe/logout to clear out the PDStorage value. This is due to some devices being shared, and will prevent users being authenticated as the previous user. This is working all pretty well, except for a significant security concern...
When the Login Form (POST) page (the one that is created when you import the Time/IP authentication rule) is left as-is in the Default schema, it submits the form values correctly and the rules can process the request. However we don't want the page to stay in the Default schema, we want it under our own schema and to customise the page a bit. But if I edit the page at all, whether it be modifying the version in the original location or copy the code over to our schema, it no longer seems to be able to submit the form data. I have created a debug block page with a form that submits back to itself and outputs various header and parameter values, but the only ones that get through are Get variables, which are included in the URL of the page. I have gotten a proof of concept working by changing it over to use Get (with username and password base64 encoded), but we don't want that information logged or captured by anyone or anything.
Does anyone have any insights into why it might be doing this? I would definitely appreciate if anyone has any time to try reproduce the problem. I am happy to provide as much information as I can.