don't send Set-Cookie back from eventsource calls

[srabraham]

this fixes the below issue, in a minimally hacky way.
The eventsource call doesn't require authentication, and
when a client does automatic connection retries on this
endpoint, it'll sometimes get back a Set-Cookie value
for a brand new, unauthenticated Twisted session. That
cookie value can stomp over a valid, authenticated session
cookie that the client may already have. The result is that
a user can effectively be logged out after a session lasting
less than a minute. That's not desirable.

#1363

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 1 line in your changes missing coverage. Please review.

Project coverage is 69.64%. Comparing base (52049e7) to head (d7ec66c).
Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
src/ims/application/_api.py	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1456      +/-   ##
==========================================
- Coverage   69.67%   69.64%   -0.03%     
==========================================
  Files         181      181              
  Lines        8995     8996       +1     
  Branches     1494     1494              
==========================================
- Hits         6267     6265       -2     
- Misses       2623     2625       +2     
- Partials      105      106       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.