Currently the code uses an arbitrary x-session-id header which the HTTP client is not required to relay back in subsequent requests.
It should be using the standard Set-Cookie mechanism