Cookie based web authentication and single sign on system designed for largish intranets under a single domain where many people run their own webservers (and you don't trust them all much).

On first connection, an untrusted webserver redirects new requests for restricted pages to the idcheck server (to be authenticated). The idcheck server takes and checks the users credentials and, if successful, redirects the users browser back to the page they requested. As it redirects, the server installs a private cookie (scoped only for the idcheck webserver) and a second cookie that acts as a session cookie for the untrusted webserver (which is checked for validity, over http against the idcheck server) when downloading subsequent pages.

When the user accesses another webserver that also has idcheck restricted pages he does not need to enter his credentials again because of the private idcheck cookie indicates that he has already authenticated and so can bypass the login form. This provides a single sign on environment for multiple webservers in a single domain..