OVH has implemented load balancing in a very questionable way where the reverse proxy actually internally adds some cookies which would trigger a security exception. To work around this, this change only checks for the session cookie.
The OCSResponse differs from other responses in that it defaults to
XML. However we fell back to json by default.
This makes sure that if nothing is set we don't pass anything.
Which defaults then to the controllers default (which is often 'json')
but in the case of the OCSResponse 'xml'.