Hi Govardan,
what I meant by simulating is that your logon module "pre-fills" username and password and redirects to another URL. AS Patrick mentioned the logon module seems doing something strange but hard to say without seeing whole logic.
I also want to mention that you can't protect against attacker that can access browser memory. For example even if you logon module is fixed and it does not perform redirection with username/password but instead it issues a logon ticket. If attacker can read this ticket from memory then he will be able to misuse it.
Cheers