Session Fixation in lib-auth

All id-providers using lib-auth login method.

Don't use lib-auth for login.
Java API uses low-level structures and allows to invalidate previous session before auth-info is added.

Provide feedback