You are trying to get authenticated session with a token to work over HTTP (not encrypted) and backend tells you you thats not allowed - i wonder why 
Maybe change the url to HTTPS (encrypted) where you create the session ?
Reason for GET most likely could be that the response to POST will also return a redirect header that requests library will obey .