Remove HTTP args processing?

[bryevdv]

Prompted by looking up some old code for this discussion: https://discourse.bokeh.org/t/sessions-reused-when-behind-iis-proxy/11501

Specifically:

The only way I can see for an existing session to be returned is if an existing session_id gets extracted from either: the HTTP args, the request headers, or the token in the websocket subprotocol header.

Do we need three separate mechanisms for this? Can we drop HTTP arg processing for session ids and insist that it only be sent in an actual request header or token? I would have been worried about server_session but as a matter of fact it was already updated to use the request headers at some point: https://github.com/bokeh/bokeh/blob/branch-3.5/src/bokeh/embed/server.py#L233 Is there some other usage in Bokeh, or for users, that demands an HTTP args approach?

For that matter, is there any way we could we drop all HTTP args? IIRC the processing and handling of these is quite gorpy and complicated.

cc @bokeh/dev