...
Security is initiated by sending users from the app to a Kerberos Shibboleth login. If the user successfully authenticates, they are routed to a php file that begins a RAFT session and authenticates every subsequent call against the Shibboleth token. After that, every AJAX and http call is routed through that php session and checked for the Shibboleth token. If it is not there or has expired, the call is refused. Every 10 seconds, the front-end makes a "heartbeat" AJAX call to the middle tier. If the database layer is down or the person is not authenticated the heartbeat call will return this message and end the user's session.
...