SqlAlchemyVisitManager? is missing a session.flush() call after it creates a new visit. This means that subsequent code that looks for a visit_key (ie to associate an identity with a visit after credential verification) won't find a visit that was just added in the same request. But the extra visit does eventually get added in the flush at the end of the request, but by then the identity has been associated with a new visit, so it's just orphaned in the db.
The solution is to add session.flush() after the save(...) call in new_visit_with_key.
This however, causes extra sessions to be created in a new manner. During an inital visit (without a cookie), the visit code will create a new session. Subsequently the identity framework may cause the visit filter to run again. It will try to look up the session again, still without a cookie from the client and again fail and therefore create a second session. Both of these will get committed to the database because of the above fix. My proposed solution to that is to make the visit filter aware of whether there is a current visit (which there will be if the filter has already run). If there is such a current visit, it will not execute the lookup or initialization code.
I will attach two patches, one for each of the above problems.
