Destroying a session that doesn't exist returns status code 500 if ACLs are enabled

[wawe]

Overview of the Issue

Per the documentation,
deleting a session is an idempotent operation and returns 200.

When ACLs are enabled, destroying a session that doesn't exist returns 500.

Reproduction Steps

See the attached script for a detailed example to reproduce
the correct behavior when ACLs are disabled
and the incorrect behavior with ACLs enabled:

create_and_destroy.txt

1. Run consul with ACL enabled (locally with development mode is sufficient)
2. Run curl -I -s -X PUT localhost:8500/v1/session/destroy/cb30618e-800f-9e3e-cd31-9a062d670928
3. Command returns status code 500 instead of 200

Sample configuration used:

{
  "primary_datacenter": "dc1",
  "acl" : {
    "enabled": true,
    "default_policy": "allow",
    "down_policy": "extend-cache"
  }
}

Consul info for both Client and Server

Running locally in development mode
consul version 1.6.1

Operating system and Environment details

macOS locally, but also happens on our cluster running on RHEL7.