Using XenForo to authenticate users in external web apps

Eric Winter

I'm integrating a range of existing web apps with XenForo 1.0.0 beta 5.
In order to save users from having to log in to different apps multiple times, I would like to use XenForo to authenticate my users against. They will all have a personal account in XenForo.

The web apps each have their own user accounts already.
To keep things manageble, the usernames and passwords are identical to the user credentials in XenForo.

So far, I have been able to setup the XenForo framework and access the currently logged in user from my a test app. I can read username, userID, email, etc.

I need the user's password to be able to log them in to each of my web apps. However, the original password is not stored in XenForo for obvious reasons. As only the one-way-encrypted hash is stored, (depending on the authentication scheme that is) there is no way for me to decrypt the password.

The most feasible solution for me would be to save the user's password in a cookie, as soon as the user logs in to XenForo. The cookie will be set to expire as soon as the session is explicitely ended or times out, whichever comes first.
That way, no password is stored in any database, only on the client's machine for the duration of the session. To tighten security, I could encode the password in the cookie.
That would enable me to read the user's password and silently log the user in to the other web apps.

QUESTION: were in XenForo do I put my PHP code to save a cookie with the user's password?
I gather that would be straight after the code that is responsible for showing the sliding bar in the top of the screen when the user clicks the "Log in or Sign up" link in the right upper corner.

NOTE: please, please, please do not start discussing security aspects involved.
I'm solely interested in integrating these web apps with a single signon.