Skip to content

feature: Having the HTTP Request context for The Session Management #625

New issue
New issue
Closed
#626
Closed
feature: Having the HTTP Request context for The Session Management#625
#626
@aradyaron

Description

@aradyaron
aradyaron
opened on Oct 26, 2025

Problem Statement

The interface of sessionIdManager UI does not allow additional context from HTTP Request.
I want to verify that the MCP Session ID I generate serves a single user.
To do that, I need to receive information of the incoming api request.
Currently the API only receive the mcp session id, and passing the request reqires complex state management of the incoming HTTP Requests.

mcp-go/server/streamable_http.go

Line 990 in 8891432

type SessionIdManager interface {

A clear and concise description of what the problem is. For example, "I'm always frustrated when [...]"

Proposed Solution

one of the following options:

  1. Send the HTTP Request itself to the Session ID Validator.
  2. Have a new SessionIdManagerResolver, which has a function of getSessionIdManager(http.Request) SessionIdManager.

MCP Spec Reference

https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#session-management

Specifically - https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#session-management:~:text=The%20server%20MAY%20terminate%20the%20session%20at%20any%20time%2C%20after%20which%20it%20MUST%20respond%20to%20requests%20containing%20that%20session%20ID%20with%20HTTP%20404%20Not%20Found.

Example Usage

Option 1

type SessionIdManager interface {
	Generate(r *http.Request) string
	// Validate checks if a session ID is valid and not terminated.
	// Returns isTerminated=true if the ID is valid but belongs to a terminated session.
	// Returns err!=nil if the ID format is invalid or lookup failed.
	Validate(sessionID string, r *http.Request) (isTerminated bool, err error)
	// Terminate marks a session ID as terminated.
	// Returns isNotAllowed=true if the server policy prevents client termination.
	// Returns err!=nil if the ID is invalid or termination failed.
	Terminate(sessionID string, r *http.Request) (isNotAllowed bool, err error)
}

Option 2

type SessionIdManager interface {
	Generate() string
	// Validate checks if a session ID is valid and not terminated.
	// Returns isTerminated=true if the ID is valid but belongs to a terminated session.
	// Returns err!=nil if the ID format is invalid or lookup failed.
	Validate(sessionID string) (isTerminated bool, err error)
	// Terminate marks a session ID as terminated.
	// Returns isNotAllowed=true if the server policy prevents client termination.
	// Returns err!=nil if the ID is invalid or termination failed.
	Terminate(sessionID string) (isNotAllowed bool, err error)
}

type SessionIdManagerResolver interface {
	ResolveSessionIdManager(r *http.Request) SessionIdManager
}

Alternatives/Workarounds Considered

A clear and concise description of any alternative solutions, workarounds, or features you've considered.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions