unauthenticate() should remove session when using authSessionsMiddleware

Currently, unauthenticating a session requires unauthenticateSession(), which doesn't make much sense when using the session authentication middleware. He should catch the unauthentication and remove session authentication data if it exists.