Refactor sessions_controller_spec to work both in rails4 and rails5. Remove the stubbed `request.referer` method, set real header instead.