Rob,
I think I've found an odd bug - on Chrome, but not IE, if I
1)login to the ProjSummary dashboard (old version at lowemississippi or my new version),
2) click on a recent upload,
3) login to the ACR to view it (as the same or a different user)
4) quit the browser,
5) Reopen the browser and login to the proj summary/dashbaord again
6)click on a recent upload image
I get in to Medici with no login - reusing the credentials I used in the last session.
Going directly to the main Medici interface in step 5 gives me the login screen. Once I've hit that, going back to repeat steps 5,6 or 4,5,6 only gives me the Medici login screen.
I can see the original session cookie for medici when I do 4,5,6 showing the login name for step 3.

It seems that somehow coming in the second time - perhaps because of the calls to /api/image/preview/small?, or just because of the dummy query to the resteasy interface to check the user's credentials - allows the original Medici cookies to get associated with the new session. But they don't work/apply if you just go direct to Medici when you restart the browser.

Any ideas?