Improve the robustness of authinstance-in-session handling, to handle an unduplicatable bug (at least by me).

All users who log in to the system should have a valid authinstance in their session. Apparently however, some don't. I can't narrow down how this happens, but this patch will make sure things don't blow up in this case.