This is the response I gave to Shaun Lloyd yesterday. He seemed to be able to get it working:
I gave the tips, he put together the code.

Couple of things, just to make you aware.

1) make sure that:
       <input name="_user" size="30" type="hidden" value="username" />
       <input name="_pass" size="30" type="hidden" value="password" />
       <input name="_host" size="30" type="hidden" value="host" />
are set with the real username, password, and host. If you don't then you can't login because it will be sending USERNAME, PASSWORD, and HOST as actual words to the server. Honestly, this is a security problem because if you hard-code that information anyone who access that page will be logged right into that email account. There are ways around this but it would require a lot of extra coding.
2) make sure you don't have that session ID hard-coded either. Again, if its not dynamically pulled from roundcube then your app wont work.

<?php
session_start();
?>
<html>
<head>
<script type="text/javascript"
src=" program/js/common.js"></script>
<script type="text/javascript"
src=" /program/js/app.js"></script>
<script type= "text/javascript">
<!--
var rcmail = new rcube_webmail();
rcmail.set_env('comm_path',
' ?_auth=<?session_id()?>&_task=mail');
rcmail.set_env('task', 'login');
rcmail.gui_object('message', 'message');
rcmail.gui_object('loginform', 'form');
//-->
</script>
</head>
<body onload="document.form.submit();">
 <form name="form" action="
./" method="post">
   <input type="hidden" name="_auth" value="<?session_id()?>" />
   <input name="_action" value="login" type="hidden" />
   <input name="_user" size="30" type="hidden" value="USERNAME" />
   <input name="_pass" size="30" type="hidden" value="PASSWORD" />
   <input name="_host" size="30" type="hidden" value="HOST" />
 </form>
</body>
</html>