Sorry, wrong question. I don't mean can a referrer string be faked, obviously that can.

I meant can the client IP be faked, or the IP addresses of the servers talking to each other?

but the cost of SSL sometimes is overkill for what they need

You can setup SSL for free with OpenSSL- perfect for use on an intranet.

I've not used OpenSSL, to save me delving through various incomplete manpages, have you used it? Does it work? Can it easily be integrated into my application?

I've used it on several intranet sites. The first couple of times I had some problems, but then just added my notes to the documentation.

The setups I've been using are Windows/IIS configurations. Not sure if that will work for you. But I am sure there are other free/open source options available for other configurations.

But if that configuration will work for you- I highly recommend [dylanbeattie.net...] (just make sure you do NOT do step 3!).

On intranet sites using IIS, why not just use Windows CA?

I've had a look at this, I don't think it's what I need really.

I probably should clarify something, the reason only the logon needs to be secure is that the portal itself won't contain any secure information.

The process I have in mind is:
1. Client accesses portal (or logon site directly)
2. (client is redirected) authenticates with logon site ok
3. Logon site sends something, like a pre-configured session id to portal
4. Logon site redirects client to portal

So the mechanism I need to be secure is the logon site talking to the portal. It's probably only going to execute one command but if it's spoofable then there's no point having a secure logon.