Skip to content Skip to navigation


WebAuth is the authentication system that underlies WebLogin, which enables access to protected web pages and web applications. SUNet ID account holders use WebAuth to gain access to these protected resources; content managers use it to restrict access to certain web pages; and some system administrators use the WebAuth module on their departmental Apache web servers.

The first time you visit a web page protected by WebAuth, you're sent to a central login server (at Stanford, it's and prompted to authenticate. Normally, you enter your username and password, although other authentication methods are possible. After you log in, the WebLogin server sends your encrypted identity back to the original web page you tried to access. Your identity gets stored in a cookie set by the WebLogin server and you won't need to authenticate again until your credentials expire, even if you visit multiple protected websites.


  • Works with any browser that supports cookies.
  • Doesn't require you to install agents or other software on the client web browser systems.
  • Works with an existing Kerberos v5 authentication realm.
  • Single sign-on provider for a Shibboleth IdP.
  • Supports SPNEGO authentication as well as username/password over TLS/SSL.

Learn more

For IT providers

If you manage online content and need to learn how to restrict access to web-based resources, see these pages:

Last modified February 26, 2016