Ended up generating the trac_form_token cookie myself for my PHP login form, from a sub-url of the trac root (overriding that sub-url from within IIS so that it is not handled by trac but by php instead). Easy enough to do.
Checking the logged in user is easy enough to do if you configure trac to set the path of the trac_auth cookie to be the root of the site. You can then access this and query the trac sqlite database from PHP to get the user name and permissions.
Then for the PHP login, you generate the trac_form_token and do a POST curl request to trac and then pass on the cookies you need from the returned response header.
EDIT: change to trac.ini to make trac_auth cookie available site-wide and not just from /trac/
[trac]
auth_cookie_path = \