Skip to content

fix(examples): return 404 for invalid session IDs #1707

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
owendevereaux wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(examples): return 404 for invalid session IDs #1707

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
06a672d
fix(examples): return 404 for invalid session IDs
joewanko Mar 19, 2026
64c7a4a
chore: add changeset for invalid session ID fix
joewanko Mar 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/pink-goats-push.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"@modelcontextprotocol/examples-server": patch
---

fix(examples): return 404 for invalid session IDs
39 changes: 33 additions & 6 deletions examples/server/src/elicitationFormExample.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -338,6 +338,19 @@ async function main() {
if (sessionId && transports[sessionId]) {
// Reuse existing transport for this session
transport = transports[sessionId];
} else if (sessionId && !transports[sessionId]) {
// Session ID provided but not found - return 404 to signal client should start new session
// Per MCP spec: "When a client receives HTTP 404 in response to a request containing
// an Mcp-Session-Id, it MUST start a new session"
res.status(404).json({
jsonrpc: '2.0',
error: {
code: -32_000,
message: 'Session not found'
},
id: null
});
return;
} else if (!sessionId && isInitializeRequest(req.body)) {
// New initialization request - create new transport
transport = new NodeStreamableHTTPServerTransport({
Expand Down Expand Up @@ -365,12 +378,14 @@ async function main() {
await transport.handleRequest(req, res, req.body);
return;
} else {
// Invalid request - no session ID or not initialization request
// No session ID and not an initialization request - return 400
// Per MCP spec: "Servers that require a session ID SHOULD respond to requests without
// an Mcp-Session-Id header (other than initialization) with HTTP 400 Bad Request"
res.status(400).json({
jsonrpc: '2.0',
error: {
code: -32_000,
message: 'Bad Request: No valid session ID provided'
message: 'Bad Request: Session ID required'
},
id: null
});
Expand Down Expand Up @@ -399,8 +414,14 @@ async function main() {
// Handle GET requests for SSE streams
const mcpGetHandler = async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
// No session ID provided
res.status(400).send('Session ID required');
return;
}
if (!transports[sessionId]) {
// Session ID provided but not found - return 404 per MCP spec
res.status(404).send('Session not found');
return;
}

Expand All @@ -414,8 +435,14 @@ async function main() {
// Handle DELETE requests for session termination
const mcpDeleteHandler = async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
// No session ID provided
res.status(400).send('Session ID required');
return;
}
if (!transports[sessionId]) {
// Session ID provided but not found - return 404 per MCP spec
res.status(404).send('Session not found');
return;
}

Expand Down
39 changes: 33 additions & 6 deletions examples/server/src/elicitationUrlExample.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -571,6 +571,19 @@ const mcpPostHandler = async (req: Request, res: Response) => {
if (sessionId && transports[sessionId]) {
// Reuse existing transport
transport = transports[sessionId];
} else if (sessionId && !transports[sessionId]) {
// Session ID provided but not found - return 404 to signal client should start new session
// Per MCP spec: "When a client receives HTTP 404 in response to a request containing
// an Mcp-Session-Id, it MUST start a new session"
res.status(404).json({
jsonrpc: '2.0',
error: {
code: -32_000,
message: 'Session not found'
},
id: null
});
return;
} else if (!sessionId && isInitializeRequest(req.body)) {
const server = getServer();
// New initialization request
Expand Down Expand Up @@ -607,12 +620,14 @@ const mcpPostHandler = async (req: Request, res: Response) => {
await transport.handleRequest(req, res, req.body);
return; // Already handled
} else {
// Invalid request - no session ID or not initialization request
// No session ID and not an initialization request - return 400
// Per MCP spec: "Servers that require a session ID SHOULD respond to requests without
// an Mcp-Session-Id header (other than initialization) with HTTP 400 Bad Request"
res.status(400).json({
jsonrpc: '2.0',
error: {
code: -32_000,
message: 'Bad Request: No valid session ID provided'
message: 'Bad Request: Session ID required'
},
id: null
});
Expand Down Expand Up @@ -643,8 +658,14 @@ app.post('/mcp', authMiddleware, mcpPostHandler);
// Handle GET requests for SSE streams (using built-in support from StreamableHTTP)
const mcpGetHandler = async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
// No session ID provided
res.status(400).send('Session ID required');
return;
}
if (!transports[sessionId]) {
// Session ID provided but not found - return 404 per MCP spec
res.status(404).send('Session not found');
return;
}

Expand Down Expand Up @@ -682,8 +703,14 @@ app.get('/mcp', authMiddleware, mcpGetHandler);
// Handle DELETE requests for session termination (according to MCP spec)
const mcpDeleteHandler = async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
// No session ID provided
res.status(400).send('Session ID required');
return;
}
if (!transports[sessionId]) {
// Session ID provided but not found - return 404 per MCP spec
res.status(404).send('Session not found');
return;
}

Expand Down
19 changes: 17 additions & 2 deletions examples/server/src/jsonResponseStreamableHttp.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,19 @@ app.post('/mcp', async (req: Request, res: Response) => {
if (sessionId && transports[sessionId]) {
// Reuse existing transport
transport = transports[sessionId];
} else if (sessionId && !transports[sessionId]) {
// Session ID provided but not found - return 404 to signal client should start new session
// Per MCP spec: "When a client receives HTTP 404 in response to a request containing
// an Mcp-Session-Id, it MUST start a new session"
res.status(404).json({
jsonrpc: '2.0',
error: {
code: -32_000,
message: 'Session not found'
},
id: null
});
return;
} else if (!sessionId && isInitializeRequest(req.body)) {
// New initialization request - use JSON response mode
transport = new NodeStreamableHTTPServerTransport({
Expand All @@ -111,12 +124,14 @@ app.post('/mcp', async (req: Request, res: Response) => {
await transport.handleRequest(req, res, req.body);
return; // Already handled
} else {
// Invalid request - no session ID or not initialization request
// No session ID and not an initialization request - return 400
// Per MCP spec: "Servers that require a session ID SHOULD respond to requests without
// an Mcp-Session-Id header (other than initialization) with HTTP 400 Bad Request"
res.status(400).json({
jsonrpc: '2.0',
error: {
code: -32_000,
message: 'Bad Request: No valid session ID provided'
message: 'Bad Request: Session ID required'
},
id: null
});
Expand Down
39 changes: 33 additions & 6 deletions examples/server/src/simpleStreamableHttp.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -654,6 +654,19 @@ const mcpPostHandler = async (req: Request, res: Response) => {
if (sessionId && transports[sessionId]) {
// Reuse existing transport
transport = transports[sessionId];
} else if (sessionId && !transports[sessionId]) {
// Session ID provided but not found - return 404 to signal client should start new session
// Per MCP spec: "When a client receives HTTP 404 in response to a request containing
// an Mcp-Session-Id, it MUST start a new session"
res.status(404).json({
jsonrpc: '2.0',
error: {
code: -32_000,
message: 'Session not found'
},
id: null
});
return;
} else if (!sessionId && isInitializeRequest(req.body)) {
// New initialization request
const eventStore = new InMemoryEventStore();
Expand Down Expand Up @@ -685,12 +698,14 @@ const mcpPostHandler = async (req: Request, res: Response) => {
await transport.handleRequest(req, res, req.body);
return; // Already handled
} else {
// Invalid request - no session ID or not initialization request
// No session ID and not an initialization request - return 400
// Per MCP spec: "Servers that require a session ID SHOULD respond to requests without
// an Mcp-Session-Id header (other than initialization) with HTTP 400 Bad Request"
res.status(400).json({
jsonrpc: '2.0',
error: {
code: -32_000,
message: 'Bad Request: No valid session ID provided'
message: 'Bad Request: Session ID required'
},
id: null
});
Expand Down Expand Up @@ -725,8 +740,14 @@ if (useOAuth && authMiddleware) {
// Handle GET requests for SSE streams (using built-in support from StreamableHTTP)
const mcpGetHandler = async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
// No session ID provided
res.status(400).send('Session ID required');
return;
}
if (!transports[sessionId]) {
// Session ID provided but not found - return 404 per MCP spec
res.status(404).send('Session not found');
return;
}

Expand Down Expand Up @@ -756,8 +777,14 @@ if (useOAuth && authMiddleware) {
// Handle DELETE requests for session termination (according to MCP spec)
const mcpDeleteHandler = async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
// No session ID provided
res.status(400).send('Session ID required');
return;
}
if (!transports[sessionId]) {
// Session ID provided but not found - return 404 per MCP spec
res.status(404).send('Session not found');
return;
}

Expand Down
35 changes: 30 additions & 5 deletions examples/server/src/simpleTaskInteractive.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -649,6 +649,16 @@ app.post('/mcp', async (req: Request, res: Response) => {

if (sessionId && transports[sessionId]) {
transport = transports[sessionId];
} else if (sessionId && !transports[sessionId]) {
// Session ID provided but not found - return 404 to signal client should start new session
// Per MCP spec: "When a client receives HTTP 404 in response to a request containing
// an Mcp-Session-Id, it MUST start a new session"
res.status(404).json({
jsonrpc: '2.0',
error: { code: -32_000, message: 'Session not found' },
id: null
});
return;
} else if (!sessionId && isInitializeRequest(req.body)) {
transport = new NodeStreamableHTTPServerTransport({
sessionIdGenerator: () => randomUUID(),
Expand All @@ -671,9 +681,12 @@ app.post('/mcp', async (req: Request, res: Response) => {
await transport.handleRequest(req, res, req.body);
return;
} else {
// No session ID and not an initialization request - return 400
// Per MCP spec: "Servers that require a session ID SHOULD respond to requests without
// an Mcp-Session-Id header (other than initialization) with HTTP 400 Bad Request"
res.status(400).json({
jsonrpc: '2.0',
error: { code: -32_000, message: 'Bad Request: No valid session ID' },
error: { code: -32_000, message: 'Bad Request: Session ID required' },
id: null
});
return;
Expand All @@ -695,8 +708,14 @@ app.post('/mcp', async (req: Request, res: Response) => {
// Handle GET requests for SSE streams
app.get('/mcp', async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
// No session ID provided
res.status(400).send('Session ID required');
return;
}
if (!transports[sessionId]) {
// Session ID provided but not found - return 404 per MCP spec
res.status(404).send('Session not found');
return;
}

Expand All @@ -707,8 +726,14 @@ app.get('/mcp', async (req: Request, res: Response) => {
// Handle DELETE requests for session termination
app.delete('/mcp', async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
// No session ID provided
res.status(400).send('Session ID required');
return;
}
if (!transports[sessionId]) {
// Session ID provided but not found - return 404 per MCP spec
res.status(404).send('Session not found');
return;
}

Expand Down
29 changes: 25 additions & 4 deletions examples/server/src/standaloneSseWithGetStreamableHttp.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,19 @@ app.post('/mcp', async (req: Request, res: Response) => {
if (sessionId && transports[sessionId]) {
// Reuse existing transport
transport = transports[sessionId];
} else if (sessionId && !transports[sessionId]) {
// Session ID provided but not found - return 404 to signal client should start new session
// Per MCP spec: "When a client receives HTTP 404 in response to a request containing
// an Mcp-Session-Id, it MUST start a new session"
res.status(404).json({
jsonrpc: '2.0',
error: {
code: -32_000,
message: 'Session not found'
},
id: null
});
return;
} else if (!sessionId && isInitializeRequest(req.body)) {
// New initialization request - create a fresh server for this client
const server = getServer();
Expand Down Expand Up @@ -87,12 +100,14 @@ app.post('/mcp', async (req: Request, res: Response) => {
await transport.handleRequest(req, res, req.body);
return; // Already handled
} else {
// Invalid request - no session ID or not initialization request
// No session ID and not an initialization request - return 400
// Per MCP spec: "Servers that require a session ID SHOULD respond to requests without
// an Mcp-Session-Id header (other than initialization) with HTTP 400 Bad Request"
res.status(400).json({
jsonrpc: '2.0',
error: {
code: -32_000,
message: 'Bad Request: No valid session ID provided'
message: 'Bad Request: Session ID required'
},
id: null
});
Expand All @@ -119,8 +134,14 @@ app.post('/mcp', async (req: Request, res: Response) => {
// Handle GET requests for SSE streams (now using built-in support from StreamableHTTP)
app.get('/mcp', async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
// No session ID provided
res.status(400).send('Session ID required');
return;
}
if (!transports[sessionId]) {
// Session ID provided but not found - return 404 per MCP spec
res.status(404).send('Session not found');
return;
}

Expand Down