actually (replying to myself) I'd make a 'digest' with the password and the session id, and post that on the forms, and authenticate against that. The problem is that the script is not saving the password as plaintext on the database (crypt()). I but I could still use it. Thanks!

UPDATE: this is the solution I used after all. I get the session number from mod_session (apache module), and I create an 'md5_base64' string with that and the crypt()ed password (that's how the passwords are stored on the base), that's what I put on the forms.
Thanks everyone for your help!