Support updating established sessions via encrypted JSON authentication

When only JSON authentication is in use, it is not possible to have multiple connections open from the same browser.

•  a connection has been established already using ?data=connection1_json
•  a subsequent request for ?data=connection2_json is submitted
•  the json is not decrypted or validated
•  the user is redirected to /client/...?data=connection2_json, but the json is ignored and a second connection is made to connection1

It appears that the original session is cached in some way.  Adding something to the JSON body or a URL parameter to control this unintuitive behavior would be very helpful.