I have a candidate patch that fixes this: https://gist.github.com/azito122/503c9fc5006c71922e94ae014db597dc
Basically we just attach session_start to wp_authenticate instead of wp_loaded. I also had to throw in a session_start() call in the logout action to prevent an error.
