I've debug for quite a while now, but actually couldn't find the change that actually caused the problem.
Even going a few hundreds commits back in history didn't fix the issue locally, so it seems to be there for a while.
Which actually makes it even more strange that it still works on demo.
Nevertheless, for some reason the Authentication does never return a success state for
anonymous user. So the Auth object holds no login, and the list of available sites stays empty
Looking at the test results indicates, that we actually never returned a success state for anonymous before. The tests for that didn't change since 2014.
Not sure how that could be solved in another way. If there is no successful authentication the session won't be initialized and so the current session will always be counted as outdated.
@diosmosis @tsteur maybe one of you has an idea for that. Don't want to waste more time debugging the code...