AuthSession objects lifetime is confusing
Currently, the AuthSession destructor is protected, and the authsession objects are entirely managed by the parent Identity. The Identity deletes the sessions only in its signOut() or destructor methods, meaning that they usually stay alive as long as the Identity is kept alive. Besides being suboptimal for the point of view of memory usage, this behaviour becomes a real obstacle given how Identity::createSession() works: if there already is a session for the requested mechanism, NULL is returned.
Suggested changes:
- make createSession() always return a new object
- make the AuthSession destructor public.