Injected user credentials should be cleaned up regardless of the result of authenticate()

[muhuk]

Methods using authenticated=True receives username and password when the user is authenticated and the client somehow sends the session cookie.

Injected params should be cleaned since this is not a unusual case if we are using the same user accounts we are using to access sites for RPC requests.

[p3k]

+1

This is a problem I just stumbled across, too.

[samuraisam]

Cool, maybe one could write a pull request? The code path is really simple (sorry, I just don't have much time right now)