Skip to content

fix: clear session ID on HTTP 404 per MCP spec §Session Management#2086

Open
Christian-Sidak wants to merge 1 commit into
modelcontextprotocol:mainfrom
Christian-Sidak:fix/issue-1708
Open

fix: clear session ID on HTTP 404 per MCP spec §Session Management#2086
Christian-Sidak wants to merge 1 commit into
modelcontextprotocol:mainfrom
Christian-Sidak:fix/issue-1708

Conversation

@Christian-Sidak
Copy link
Copy Markdown
Contributor

@Christian-Sidak Christian-Sidak commented May 14, 2026

Summary

  • Clears _sessionId in _send() (POST path) when the server responds with HTTP 404 and a session ID was set
  • Clears _sessionId in _startOrAuthSse() (GET path) with the same condition
  • Adds 3 regression tests: POST path clears session ID, GET path clears session ID, non-404 errors do NOT clear session ID

Background

The MCP spec (2025-03-26) §Session Management point 4 states:

When a client receives HTTP 404 in response to a request containing an Mcp-Session-Id, it MUST start a new session by sending a new InitializeRequest without a session ID attached.

Previously, both code paths threw StreamableHTTPError without clearing this._sessionId, leaving the transport stuck with a stale session ID on all subsequent calls. Every follow-up send() would keep attaching the dead Mcp-Session-Id header and receiving 404 indefinitely.

Test plan

  • should clear session ID on 404 POST (per spec §Session Management) — POST path clears _sessionId after 404
  • should clear session ID on 404 GET SSE (per spec §Session Management) — GET path clears _sessionId after 404
  • should NOT clear session ID on non-404 errors — 500 errors leave _sessionId intact
  • All 56 existing client-transport tests still pass

Fixes #1708

@Christian-Sidak @claude
fix: clear session ID on HTTP 404 per MCP spec §Session Management
6a46396 
When a server returns 404 in response to a request with Mcp-Session-Id,
the MCP spec (2025-03-26 §Session Management point 4) requires clearing
the session ID so the next request triggers a fresh initialize handshake.

Previously, both `_send()` (POST) and `_startOrAuthSse()` (GET) threw
StreamableHTTPError without clearing `_sessionId`, leaving the transport
stuck with a stale session ID on all subsequent calls.

Fixes modelcontextprotocol#1708

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Christian-Sidak Christian-Sidak requested a review from a team as a code owner May 14, 2026 09:01
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 14, 2026

🦋 Changeset detected

Latest commit: 6a46396

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@modelcontextprotocol/client Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 14, 2026

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/@modelcontextprotocol/client@2086

@modelcontextprotocol/server

npm i https://pkg.pr.new/@modelcontextprotocol/server@2086

@modelcontextprotocol/express

npm i https://pkg.pr.new/@modelcontextprotocol/express@2086

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/@modelcontextprotocol/fastify@2086

@modelcontextprotocol/hono

npm i https://pkg.pr.new/@modelcontextprotocol/hono@2086

@modelcontextprotocol/node

npm i https://pkg.pr.new/@modelcontextprotocol/node@2086

commit: 6a46396

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

StreamableHTTPClientTransport doesn't handle 404 per spec (no session clear + re-init)

1 participant

@Christian-Sidak