Code review comment for lp:~maxiberta/canonical-identity-provider/openid-session-limit

QA instructions, for posterity:

# Run python-openid's example consumer
env/bin/python branches/python-openid/examples/consumer.py

# Go to http://localhost:8001
# Use identifier e.g. https://staging.launchpad.net/~maxiberta-h

# Run a django management shell on staging SSO (stg-sso@wendigo)
juju ssh sso-app/0
cd /srv/login.staging.ubuntu.com/staging/code/current
sudo su ubunet
PYTHONPATH=../../etc env/bin/python django_project/manage.py shell

# Query sessions with multiple openid tokens
from django.contrib.sessions.models import Session
from pprint import pprint
pprint([(s.session_key, s.expire_date, sorted(s.get_decoded().get('token_expirations').items(), key=lambda x: x[1]), sorted(s.get_decoded().keys())) for s in Session.objects.all() if len(s.get_decoded().get('token_expirations', [])) > 1])

# Retry the openid dance and re-print sessions: see how openid tokens in the session accumulate up to 10, then start rotating by expiration date.