You make a PHP script that receives the incoming HTTP AJAX requests from your C2 client and pass the username and password hash as parameters like:
http://yourdomain.com/login.php?usernam ... j2398KJdss
then you retrieve the parameters in PHP and pull the password hash associated username from the database and compare it to the hash received from the client. If they match, you create a session and manage it with PHP. You key the session cache using the public IP of the request and whatever other relevant info from the request you want to use.
I use the date up to the day in the session cache key to create an automatic session expiry, but you can just use the public IP if you want.
Every request that comes in to your PHP server will always check the session cache first for a session corresponding to that IP, if it exists and the session ID matches then it produces a page with all of the appropriate details.
We use the TextBox injection method to pass parameters directly from the HTML into the C2 js scripts. We also use a highly modified version of the 'index.html' file that C2 outputs. If you look at the HTML for our homepage, you will see a doIt() function that we added to inject parameters directly into our C2 application.
<script type="text/javascript">
function doIt()
{
document.getElementById("getDisplayName").value = "";
document.getElementById("getUserID").value = "-1";
document.getElementById("getFT").value = "1";
document.getElementById("serverIP").value = "www.stormforgedproductions.com";
document.getElementById("saltBox").value = "eab5f675c24ebec8b745c8aa90096852f54ac10ce7f2f6638ccbf26248f480360fb8103977581838b28aa73b10f2ed731f7b544b736453e3bcf3a5446042d321";
document.getElementById("errorBox").value = "";
document.getElementById("playerServers").value = "{}";
document.getElementById("direct").value = "";
document.getElementById("tester").value = "false";
document.getElementById("playerCapId").value = "-1";
}
</script>[/code:scf0i0s5]