An instantaneous introduction to authentication using Argus

In general, World Wide Web (WWW) browsers request files from WWW servers and display the contents of those files on a user's computer. However, this simple process has been enhanced to allow many more complex interactions between browsers and servers. This document presents a brief tutorial to using some of those enchancements to authenticate access to online resources.

In particular, this tutorial covers the basics of using the Argus Authentication server operated by ACS at the University of Kansas, including basic Web background material that will be useful for users just beginning to use Argus.

To understand browser-server interaction, you must first understand how Web clients and servers work together to deliver a "normal" HTML document. This is the "canonical" Web activity; the "usual" Web function. Then you need to understand how programs or "scripts" running on a server use the Common Gateway Interface (GCI) to receive requests from users and return documents customized to those requests. In addition, you need to know how web pages, scripts and servers can "redirect" a browser to a specific page when responding to a request for another page.

With this basic information, using Argus becomes straightforward.

The ultimate Argus reference can be found at: http://argus.cc.ku.edu/argus

The Canonical Browser-Server Interaction

During a "normal" document exchange a WWW client (Netscape, Mosaic, Lynx, etc.) requests a document from a WWW server and displays that document on a user display device. If that document contains a link to another document, and the user activates that link, the WWW client will then fetch and display the linked document.

The following diagram shows a WWW client running on a desktop system, Computer A, interacting with two servers: An HTTP server running on Computer B and an HTTP server running on Computer C.

Canonical File Exchange on the Web

The client running on Computer A gets a document, stored in a file named docu1.html, from the HTTP server running on Computer B. This document contains a link to another document, stored in a file named docu2.html on Computer C. The Uniform Resource Locator (URL) for that link might look something like:

http://ComputerC.domain/docu2.html

If the user activates that link, the client retrieves the file from the HTTP server running on Computer C and displays it on the monitor connected to Computer A.

The HyperText Transfer Protocol defines communication between the client and an HTTP server. The following example shows what an HTTP exchange between a Lynx client and an HTTP server running on Computer C might look like as the client fetches docu2.html.

The client sends the following text to server:

GET /docu2.html HTTP/1.1 Accept: www/source Accept: text/html Accept: image/gif User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) * a blank line * The "GET" request indicates which file the client wants and announces that it is using HTTP version 1.0 to communicate. The client also lists the Multipurpose Internet Mail Extension (MIME) file types it will accept in return, and identifies itself as a Netscape client. (The "Accept:" list has been truncated for brevity.)

Finally, the client sends a blank line indicating it has completed its request.

The server then responds by sending:

HTTP/1.1 200 OK Date: Wednesday, 02-Feb-94 23:04:12 GMT Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7 MIME-version: 1.0 Last-modified: Monday, 15-Nov-93 23:33:16 GMT Content-type: text/html Content-length: 2345 * a blank line * <HTML><HEAD><TITLE> . . . </TITLE> . . .etc. In this message the server agrees to use HTTP version 1.0 for communication and sends the status 200 indicating it has successfully processed the client's request. It then sends the date and identifies itself as an NCSA HTTP server. It also indicates it is using MIME version 1.0 to describe the information it is sending, and includes the MIME-type of the information about to be sent in the "Content-type:" header. Finally, it sends the number of characters it is going to send, followed by a blank line and the data itself.

Things to note here:

Executing "scripts"

An HTTP URL may identify a file that contains a program or script rather than an HTML document. That program may be executed when a user activates the link containing the URL.

The diagram below shows an hypertext document on Computer B with a link to a file on Computer C that holds the CGI program that will be executed if a user activates the link. This link is a "normal" http: link, but the file is stored in such a way that the HTTP server on Computer C can tell that the file contains a program that is to be run, rather than a document that is to be sent to the client as usual.

When the program runs, it prepares an HTML document on the fly, and sends that document to the client, which displays the document as it would any other HTML document.

Data Flow with an HTTP Script

Such programs are sometimes called HTTP scripts or "Common Gateway Interface" (CGI) scripts. Note that CGI scripts may be written in scripting languages (like Perl, TCL, etc.) or in any other programming language (like Java, C, Pascal, Basic).

On some HTTP servers these CGI programs are stored in a directory called cgi-bin, and so they are also sometimes called "cgi-bin scripts."

Here is a simple Perl program that can be run by an HTTP server when it receives a request for the file containing the script. When it runs, this program builds an HTML document containing the current time and returns the document to the WWW client that requested it.

#!/usr/bin/perl $date_string = `date`; ( $day_name, $month, $day, $time, $daylight, $year) = split( ' ', $date_string ); print "Content-type:text/html\n\n"; print "<html><head>Date information</head>\n"; print "<body bgcolor=lightblue><h2>Date information</h2>\n"; print "The date is: $month $day, $year\n"; print "The time is: $time $daylight\n"; print "</body></html>\n"; exit;

The program is stored in a file named "date", in a folder called "scripts". When a user activates a link that points to this script, the Web client will generate an HTTP request that might look like:

GET /scripts/date HTTP/1.1 Accept: www/source Accept: text/html Accept: image/gif User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) * a blank line * When the script runs it will generate an HTTP response that might look like: HTTP/1.1 200 OK Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7 MIME-Version: 1.0 Content-type:text/html <html><head>Date information</head> <body bgcolor=lightblue><h2>Date information</h2> The date is: Dec 4, 2003.<br> The time is: 18:22:47 CST. </body></html> This looks just like any HTTP response from an HTTP server returning a normal HTML document. It just happens to have been generated on the fly. Note that the HTTP server itself created the first 3 lines of the response. The script did not have to provide those lines, although it is possible to set the script up to specify every return line

Executing a Script via an HTML Form

The ability to process fill-out forms within the Web required modifications to HTML, Web clients, and Web servers (and eventually to HTTP, as well).

A set of tags was added to HTML to direct a WWW client to display a form to be filled out by a user and then forward the collected data to an HTTP server specified in the form.

To process such forms, servers were modified so that they could start the CGI program specified in the form and pass the collected data to that program, which could, in turn, prepare a response (possibly by consulting a pre-existing database) and return a WWW document to the user.

The following diagram shows the various components of the process.

Data Flow with an HTTP Form

In this diagram, the Web client running on Computer A acquires a form from some Web server running on Computer B. It displays the form, the user enters data, and the client sends the entered information to the HTTP server running on Computer C. There, the data is handed off to a CGI program which prepares a document and sends it to the client on Computer A. The client then displays that document.

An example using a Post query

For example, suppose we want to use the script above to return EITHER the date or the time at the user's request. To do that we would create an HTML form like: <html> <head> <title>Get date OR time</title> </head> <body bgcolor="lightblue"> <h2>Select date OR time</h2> <form action="http://www.ku.edu/cgiwrap/grobe/get-date-OR-time.pl" method="post"> Please select either the <ul> <li><input type=checkbox name=time>Time, or <li><input type=checkbox name=date>Date </ul> <input type=Submit> </form> </body> </html>

When this form is "submitted" by clicking on the "Date" checkbox and the "Submit" button, the information sent to www.ku.edu by the client will resemble:

POST /cgiwrap/grobe/get-date-OR-time.pl HTTP/1.1 Accept: www/source Accept: text/html Accept: video/mpeg Accept: image/jpeg Accept: image/x-tiff Accept: image/x-rgb Accept: image/x-xbm Accept: image/gif Accept: application/postscript User-Agent: Netscape/4.7 libwww/2.14 Content-type: application/x-www-form-urlencoded Content-length: 15 * a blank line * date=on This query is a "POST query" addressed for the program residing in the file at "/cgiwrap/grobe/get-date-OR-time.pl". Once again the client lists the MIME-types it is capable of accepting, and identifies itself and the version of the WWW library it is using.

The MIME-type application/x-www-form-urlencoded means that the variable name-value pairs will be encoded the same way a URL is encoded. In particular, any special characters, including puctuation characters, will be encoded as %nn where nn is the ASCII value for the character in hexidecimal. (Note newer browser will probably use the MIME type "multipart/form-data" in place of "x-www-form-urlencoded".)

Here is a Perl program that could process such a query:

#!/usr/bin/perl use CGI; # use the CGI class library. $q = new CGI; # create a new CGI object. $date_string = `date`; # get the server date string. ( $day_name, $month, $day, $time, $daylight, $year) = split( ' ', $date_string ); print "Content-type:text/html\n\n"; print "<html><head><title>Date information</title></head>\n"; print "<body bgcolor=lightblue><h2>Date information</h2>\n"; # read the "date" parameter from the client. if( $q->param( "date" ) eq "on" ) { print "The date is: $month $day, $year.<br>\n"; } # read the "time" parameter from the client. if( $q->param( "time" ) eq "on" ) { print "The time is: $time $daylight.\n"; } print "</body></html>\n"; exit; This program is very similar to the earlier program. The new material enables the program to access information passed from the user using the Common Gateway Interface (which is why it will be referred to as a "CGI script.")

Using the GET Method

Form data may be sent to scripts for processing by using the GET method as well as the POST method. For example, the form tag in the example above could have been encoded as
<form action="http://www.ku.edu/cgiwrap/grobe/get-date-OR-time.pl" method="get"> If a GET method is used, an HTTP request from the client would look something like: GET /cgiwrap/grobe/get-date-OR-time.pl?date=on Accept: www/source Accept: text/html Accept: video/mpeg Accept: image/jpeg Accept: image/x-tiff Accept: image/x-rgb Accept: image/x-xbm Accept: image/gif Accept: application/postscript User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) * a blank line * This request is very similar to the POST request except that the values of the form variables are sent as part of the URL. That is, the variable values are appended to the URL following a question mark (?), and special characters are escaped just as special characters in URLs must be escaped to assure interoperability. Hence the MIME type designation: application/x-www-form-urlencoded.

The server script can unpack the data shipped in the URL somewhat as it can unpack data sent via the POST method. In fact, the Perl CGI package can accept data sent via either mechanism.

The ability to append data to an arbitrary URL makes it possible to construct HTML anchors that send data to server scripts when they are activated. This allows document creators to prepare "canned queries" within their documents, something that is not possible with the POST method.

On the other hand, sending data via POST queries occurs with more privacy, and can include more information and a wider variety of formats. For example, HTTP server logs will frequently record GET requests. If sensitive data such as Social Security Numbers are sent via the GET method, those SSNs would appear in the HTTP logs.

Redirection

It is possible to configure Web servers, scripts, and/or pages to "redirect" a browser request to another source. For example, the script above could be rewritten to redirect time requests to http://www.ku.edu/cgiwrap/another-time.pl by returning the following HTTP: HTTP/1.1 302 Moved Location:http://www.ku.edu/cgiwrap/another-time.pl Note that a "302" indicates a permanent resource move, while a "301" indicates a temporary move, but most browsers don't distinguish between the two.

Redirection is a critical component of the Argus Authentication mechanism. Server scripts using Argus Authentication redirect initial browser requests to the Argus server for authentication, and the Argus server redirects the request BACK to the original script if authentication is successful.

Note that the redirection can be tricky, especially if you want to relay form arguments to the relay target. If the date-OR-time.pl script were to redirect a user, it MIGHT have to build a redirection line containing the arguments passed in the URL, as in:

HTTP/1.1 302 Moved Location:http://www.ku.edu/cgiwrap/another-time.pl?date=on&time=off

Cookies

The HTTP protocol includes a facility for exchanging non-document information between clients and server applications. This is, typically, information that is used by a server to customize a response for a browser, so that such information is often used to identify a user (or at least the browser from which a user attempts to access an application). The information exchanged is known as a "cookie" and is sent with the HTTP header information (along with "Accept:" information, etc.).

Cookies may posses a variety of attributes, but the general syntax for a cookie is:

Set-Cookie: NAME=VALUE; expires=DATE; path=PATH; domain=DOMAIN_NAME; secure where For example, when a browser requests a document and receives a reply, the HTTP headers in the reply may include cookies sent by the server. Here is an example sent by a script called "script_name": Set-Cookie: USER=JSmith; path=/; expires=Sunday, 07-Dec-03 23:12:40 GMT When a browser receives such a cookie, it records what server sent it, along with the attribute information, and if the browser ever makes another request of the same server (or a server in the specified DOMAIN), the browser will return the cookie, if it has not expired, as in: Cookie: script_name USER=JSmith which will be included in the request header. With this exchange, the application can figure out that JSmith has sent another request, even though JSmith did not explicitly identify herself.

Cookes are used by Argus to exchange similar information so users can access a wide variety of University application without having to identify themselves to each new application. In particular, cookies are exchanged:

Note that some cookies are saved by a browser only until the browser is closed. Others are recorded in disk files and are said to "persist" from one use of the browser to another. A cookie without an expiration time will NOT persist, and Argus employs such (non-persistent) cookies to help assure secure access.

The KuPortal modules provided by ACS for use with Argus manage cookies for Argus-enabled scripts, so programmers can usually ignore them. However, to understand the overall process you must have a general idea how of cookies are being passed around "under-the-radar."

Using Argus with the date-time script

Now we are ready to use Argus authentication to build a "secure" version of the date-time script. The version below can only be used by users who have been "authenticated" by Argus and then "authorized" by the script itself. That is, a secure script uses Argus to verify "who" is attempting access, and then consults a list of users who are authorized to use the script to decide whether it should perform its service.

This script interacts with the KuPortal module via the user_status method within the KuPortal module. For more information about KuPortal methods see the online documentation.

#!/usr/local/bin/perl use CGI; # use the CGI Perl module. use KuPortal; # use the KuPortal Perl module. $q = new CGI; # create a new CGI object. # first find out who the user is.... &authenticate(); # and then check to see if they are authorized to use this service. &authorize(); # At this point we know who the user is and that s/he is # authorized to use this service, so return the requested info. $date_string = `date`; # get the date-time string. ( $day_name, $month, $day, $time, $daylight, $year) = split( ' ', $date_string ); #Split the string into component parts, and return the HTML document. print "Content-type:text/html\n\n"; print "<html><head><title>Date information</title></head>\n"; print "<body bgcolor=lightblue><h2>Date information</h2>\n"; $did_something = "false"; # read the "date" parameter sent with the URL. if( $q->param( "date" ) eq "on" ) { print "The date is: $month $day, $year.<br>\n"; $did_something = "true"; } #read the "time" parameter sent with the URL. if( $q->param( "time" ) eq "on" ) { print "The time is: $time $daylight.\n"; $did_something = "true"; } if( $did_something eq "false" ) { print "Neither date nor time were requested.\n"; } print "</body></html>\n"; exit; ################################# sub authenticate() { # do authentication checks....... # Find out who the user is by calling "user_status" which will # check the local Argus cache entry for this script, and either # return the user information or force the user to log in if # they have not logged in or login again if their login session has # expired. $idle_max = 30; # set the login session timeout at 30 minutes. ($user_info, $idle_time, $verify_time, $session_time) = KuPortal::user_status('www.ku.edu/cgiwrap/grobe/secure-service', $idle_max*60, # convert minutes to seconds "Please login to the Date-Time Service"); # Note that this call to user_status will TERMINATE this script, if # a redirection is necessary. Processing will resume at the # beginning if Argus redirects the browser back to this script, # and one of the first activities of this script is to call this # subroutine. This will NOT be a loop unless the user is somehow # logging out of Argus everytime the user logs in. } # end sub authenticate. ################################# sub authorize() { # Split up the user information returned by Argus for the # authenticated user, and then .... ($authenticated_account, $authenticated_person, $authenticated_address ) = split( '\|', $user_info ); $authenticated_person =~ s/,/, /; # make sure the authenticated user is "authorized" to use # this secure service, and return an apology if not. if( ( $authenticated_account ne "grobe" ) && ( $authenticated_account ne "khuxtable" ) ) { # if not authorized, return an apology and quit. print <<SORRY; Content-type: text/html <html> <title>Sorry</title> <body bgcolor="lightblue"> <h2>Sorry, $authenticated_person, you are not authorized to use the Secure Service</h2> </html> SORRY exit; } } # end sub authorize.

Prior to using this script from an HTML form, the action attribute of the form tag must be changed to specify the use of secure HTTP, as in:

<form action="https://www.ku.edu/cgiwrap/grobe/get-date-OR-time.pl" method="get" >

Whenever anyone tries to access the script through the HTML form, user-status will be called and one of two things will happen:

The redirection address will look like: https://argus.cc.ku.edu/logincgi?cacheid=1070668051-18685& return=777777e2b657e2564657f236769677271607f27627f62656f237563657 2756d237562767963656f2765647d2164646275637375637e207c6& msg=05c65616375602c6f6760296e647f6024786560235563657275602355627 67963656 and the response header will include a cookie containing information that the browser must save and later return to the application to identify itself. (Note that the "return" argument is an encoded version of the return URL provided in the argument list to user_status, and the "msg" argument is, likewise, an encoded version of the user_status login message argument.)

The page sent by argus.cc.ku.edu will request that the user login, by entering their online ID and its password on a form. When the user supplies the requested information, the Argus logincgi script will redirect the browser back to the get-date-OR-time.pl script and the browser will include the cookie just received from the the Argus-enabled application. The application will use information sent in that cookie to request specific user information directly from the Argus server.

The application can then tell whether the user's account is one of the "authorized" accounts (namely "grobe" or "khuxtable"). If not, the information they requested will NOT be delivered, and the user will receive an apology in its place.

If the user has logged in using one of the "authorized" accounts, the script will execute, but the requested information will NOT be delivered because the GET parameters are lost during the redirection process. The returned page will say that "Neither date nor time were requested."

To finally get the information, the user must press the "Back" button on the browser to return to the get-date-OR-time.html Web page and resubmit the request, which will then be satisfied.

Preserving form information during redirection

As just discussed, form values passed to the application are lost during redirection to the Argus login script. This problem can be fairly easily fixed for scripts processing GET arguments, but not so easily for scripts using POST arguments. This section will present solutions to this problem.

For values passed through GET parameters, simply pass the query string from the URL as the fourth parameter in the user_status call, as in:

($user_info, $idle_time, $verify_time, $session_time) = KuPortal::user_status ( 'www.ku.edu/cgiwrap/grobe/secure-service', $idle_max*60, # convert minutes to seconds "Please login to the Date-Time Service", $ENV{ 'QUERY_STRING' } ); The query string will be included by Argus in the redirected URL returned to the browser. The Apache HTTP server running on KU Unix systems records the query string portion of an incoming URL in an environment variable called "QUERY_STRING". Within Perl the $ENV hash holds the Unix environment variables and $ENV{ 'QUERY_STRING' } can be used to access the value.

The problem is more complicated for POST arguments for several reason:

However, for most cases the script can create a temporary file on the server before the call to authenticate() and pass the name of that file as a parameter in the call to user_status. For example, a common approach is to create a "unique" file name by appending the current Process ID ($$) to the current epochal time (the number of non-leap seconds since Jan 1, 1970), as in: $seconds = time; $PID = $$; $temp_file_name = "$seconds-$PID"; open( TEMP_FILE, "> $temp_file_name" ); Then collect all the POST and GET arguments (as appropriate), write them to the named file, close the file, and pass the file name as: ($user_info, $idle_time, $verify_time, $session_time) = KuPortal::user_status ( 'www.ku.edu/cgiwrap/grobe/secure-service', $idle_max*60, # convert minutes to seconds "Please login to the Date-Time Service", "temporary_file_name=$temp_file_name" );

Having saved script arguments is just part of the process, however. The program must then be modified to check for the presence of a temporary_file_name argument when it is started. If it finds a temporary file, it must then read the contents of the file, assign them in appropriate variables, and call user_status again to get the user information required by the program. This call will not cause another redirection to the Argus server unless the session timeout is set to zero or some very small number of seconds; it, instead, only get information from the local cache.

Here is a version of get-date-OR-time.pl that uses this approach:

#!/usr/local/bin/perl use CGI; # use the CGI class library. use KuPortal; # use the KuPortal class library. $q = new CGI; # create a new CGI object. # first check to see if this is a redirect from a previous # call to user_status that resulted in a user login exchange with # Argus so that the current URL will specify a temporary file # from which we must retrieve passed arguments. $temporary_file_name = ""; $temporary_file_name = $q->param( 'temporary_file_name' ); if( $temporary_file_name ne "" ) { $file_open_status = open( TEMP_FILE, "$temporary_file_name" ); # all args have been passed on a single line (in this example), # so we just read one line from the temp file. $query_list = <TEMP_FILE>; close( TEMP_FILE ); # if we remove the temp file, users will not be able to refresh the page, # which may be OK in some instances. #$remove_file_status = `rm $temporary_file_name`; # delete the temp file. # now we have to split the query list into name/value pairs and # assign the pair values to Perl variables. @arg_strings = split( "&", $query_list ); foreach $arg_string ( @arg_strings ) { ( $arg_name, $arg_value ) = split( "=", $arg_string ); if( $arg_name eq "date" ) { $date_request = $arg_value; } if( $arg_name eq "time" ) { $time_request = $arg_value; } } # then get the user info..which will not cause a redirect this # time because it is "fresh." $idle_max = 30; # set the login session timeout at 30 minutes. ($user_info, $idle_time, $verify_time, $session_time) = KuPortal::user_status ( 'www.ku.edu/cgiwrap/grobe/secure-service', $idle_max*60, # convert minutes to seconds ); } else # this script has NOT been started as a redirect from a call { # to user_status that resulted in an Argus login, so we need # to authenticate and collect passed arguments. &authenticate(); $date_request = $q->param( "date" ); $time_request = $q->param( "time" ); } # and then check to see if the authenticated user is authorized to # use this service. &authorize(); # At this point we know who the user is and that s/he is # authorized to use this service, so return the requested info. $date_string = `date`; # get the date-time string. ( $day_name, $month, $day, $time, $daylight, $year) = split( ' ', $date_string ); #Split the string into component parts, and return the HTML document. print "Content-type:text/html\n\n"; print "<html><head><title>Date information</title></head>\n"; print "<body bgcolor=lightblue><h2>Date information</h2>\n"; $did_something = "false"; # read the "date" parameter sent with the URL. if( $date_request eq "on" ) { print "The date is: $month $day, $year.<br>\n"; $did_something = "true"; } #read the "time" parameter sent with the URL. if( $time_request eq "on" ) { print "The time is: $time $daylight.\n"; $did_something = "true"; } if( $did_something eq "false" ) { print "Neither date nor time were requested.\n"; } print "</body></html>\n"; exit; ################################# sub authenticate() { # First, save the current arguments in a temporary file.... $seconds = time(); $PID = $$; $temp_file_name = "/tmp/$seconds-$PID"; # copy the arguments to that file for later use by another # instance of this program. open( TEMP_FILE, "> $temp_file_name" ); print TEMP_FILE $ENV{ 'QUERY_STRING' }; close( TEMP_FILE ); # and then call "user_status" which will check the local Argus # cache entry for this script, and either return the user # information or force the user to log in if they have not # logged in or login AGAIN if their login session has expired. $idle_max = 30; # set the login session timeout at 30 minutes. ($user_info, $idle_time, $verify_time, $session_time) = KuPortal::user_status ( 'www.ku.edu/cgiwrap/grobe/secure-service', $idle_max*60, # convert minutes to seconds "Please login to the Date-Time Service", "temporary_file_name=$temp_file_name" ); # If we get here we can remove TEMP_FILE, because it wasn't # necessary and won't be necessary. $remove_temp_file_status = `rm $temp_file_name`; # delete temp file. } # end sub authenticate ######################### # sub authorize() has been omitted from this example since it # has not changed from the earlier example. This approach is somewhat less than straightforward, at least one minor problem; the temporary file used to store data during authentication cannot be deleted IF the programmer wants the users to be able to refresh the page returned with the URL containing the temporary file name. This means that some mechanism must be put in place to delete temporary files on a regular basis, and that temporary files must be secure.

What it means to be logged in to Argus

When you log in to Argus from a browser, you should be able to use any application that requires Argus authentication without logging in again. For example, if you log in to Argus while using the Kyou portal using a single "instance" of your desktop browser, you will then also be able to use the get-date-OR-time service from that browser without logging in again.

Likewise, if you log in to Argus while using the get-date-OR-time application, and then also begin using the Kyou portal where you log OUT, you will no longer be able to use get-date-OR-time (without logging in again) after get-date-OR-time exceeds its 30 minute session timeout.

Every time get-date-OR-time runs, it will check to make sure that you have authenticated, but will ask Argus if you are STILL logged in only every 30 minutes. That is, when you log out of Argus, there is no notification to get-date-OR-time that "Elvis has left the building." get-date-OR-time will not realize you have logged out until it conducts its periodic check.

Also, if you open another browser on your desktop computer while you are still using the first browser, or even another "instance" of the same Web browser, you will be asked to log in to Argus again, even though you are already logged in via the first browser or browser instance.

Argus was named after the figure of the 100-eyed herdsman in Greek mythology, and when you log in, you become a member of the herd that Argus is watching. Or, more accurately, the browser instance you are using becomes a member of the herd. That browser will be allowed to graze on various Argus-authenticated applications until logout, or some minutes past logout depending on how often each application checks for session viability.

Additional information

This presentation has been terse. If you need more detail and/or a more elaborate presentation of this material, please consult: or some of the many resources available on the Web or your local bookstore.

Michael Grobe
December 2003
ALVS