Consider proxying /api/sessions instead of using custom headers

[parente]

Spotted during #196

There's two custom headers sent by the client when requesting a kernel. One contains a client-generated session ID and the other the path of the associated dashboard-notebook. It's possible that these are covered by the purpose of the session API implemented in Jupyter notebook/kernel gateway. It might be better if we stick to the stock API instead of adding our own headers.

I don't see any immediate security issue with these headers. Only noting this for future compatibility / security reasons.