BroadVoice allows numbers to be dialed from your PC, using BroadSoft's CommPilot.

It'd be nice to be able to use this functionality 1) without using ActiveX, 2) possibly in an automated way,
but even more especially 3) to be able to properly dial tel:// URLs from your browser,
the way they were designed to be used.

	(tel:// URLs are covered here: http://www.zvon.org/tmRFC/RFC2806/Output/,
	 and are supported in the Motorola A1000 Opera, at least)


The steps to initiate a call to your hardware device, from any other PC:

	1. get a new JSESSIONID
	
		1a. GET http://appserver.dca.broadvoice.com/

		1b. record the JSESSIONID cookie from the response header


	2. log the new JSESSIONID in

		2a. POST to https://appserver.dca.broadvoice.com/servlet/com.broadsoft.clients.oam.servlets.Login

			2aa. include the JSESSIONID cookie from above
			2ab. post field "domain" = ""
			2ac. post field "UserID" = your BroadVoice user-id
			2ad. post field "EnteredUserID" = your BroadVoice user-id
			2ae. post field "Password" = your BroadVoice password

		2b. that's it...  nothing to remember on the client-side...  the server just had to make sure
		    this JSESSIONID is authorized to make calls


	3. initiate the call

		3a. POST to http://appserver.dca.broadvoice.com/servlet/CallClient

			3aa. include the JSESSIONID cookie from above
			3ab. post field "DialedNumber" = the number you want to dial
			3ac. post field "Action" = "Dial"
			3ad. post field "DialOnEnter" = "true"



From a security standpoint, it looks nearly bulletproof...

Your ISP could potentially sniff your JSESSIONID and use it after you've authenticated.
Possibly use it for some somewhat nasty things.  Hrm.  But they'd have to spoof your IP (which only they could do, correct?)
And the similar problem is present on all JSESSIONID-style pages?