Follow-up to d137e981. If the cross-site POST returns a Set-Cookie header, it will overwrite the existing session, and we'll lose the redirect URL. This commit instructs rack not to persist a session cookie in this response.