Just use the value from the cookie -- we don't need the extra header after all.
Validated with dgibson. Commented out the code that set the session token header, and auth worked as desired.
Sounds good to me! This would break run attribution in the demo, right, since that tries to read the header (as a proof of concept for the prezi ask, I think?)
As a fix, we can probably just refactor the run attribution stuff in the backend to use the existing cookie instead?