I have a small problem with the concept of securityToken, and I hope you can bring me some light!

I understand that this securityToken is sent together with the login and password to prevent fraudulent identification, but I don't get where theat token is generated.

In my case, I try to adapt the login_as_customer module, which allow an admin to click on a button to directly login in the catalog part of the shop using the customer's email and the master password.

Information is sent that way :

Code:
<form target="_blank" name="login" action="' . $login_as_customer . '" method="get">
<input type="hidden" name="email_addr" id="login-email-address" value="' . $email_address . '">
<input type="hidden" name="password" id="login-password" value="' . $pass . '">
<input type="image" src="' . $place_order_button . '">
</form>
I would expect the following to work with 1.3.8a :

Code:
<form target="_blank" name="login" action="' . $login_as_customer . '" method="get">
<input type="hidden" name="email_addr" id="login-email-address" value="' . $email_address . '">
<input type="hidden" name="password" id="login-password" value="' . $pass . '">
' . zen_draw_hidden_field('securityToken', $_SESSION['securityToken']) . '
<input type="image" src="' . $place_order_button . '">
</form>
(the code might look a little strange, it is in fact only an abstract of a long string sent, but it is working - no parse error)

But this seems not to work. Do I have a problem with the way I generate the token??

Thanks,

sanji