If enwiki replication was working though, we wouldn't need anything very complicated... a special database login would have access to the verification information, and most toolserver apps run on a single web domain, so it's straightforward to pass cookies from a central sign-on to all toolserver tools, and we would just need something like asymmetric encyrption to make sure the cookies can't be modified.
Symetric encryption using a secret known to all toolserver users would do. Just create an SHA1 of the cookie value concatenated with the secret and attach that "signature" to the cookie.
That would of course mean that toolserver users would be able to forge teh cookie to gain access - but then, they have access to the data anyway.
Daniel