prevent session fixation for external authentication + use request instead of session to flag authentication status and user, for external authentication types
