Use session tokens in the auth header

Right now we put the session ID in the URL, which means that if someone shares the URL they are leaking their access (in a scenario where session IDs are handed out only after authentication). This may be undesirable and could be fixed by allowing the session ID to be set in a cookie instead.
