chore: add a note about client session ID handling (modelcontextprotocol#648)

SamMorrowDrums · pcarleton · web-flow · commit c70451e881bc · 2025-11-24T21:33:56.000Z
* chore: add a note about client session ID handling

Reapply PR 648 - clients MUST treat the session ID as a credential and handle it in a secure manner.

* Update docs/specification/draft/basic/transports.mdx

Co-authored-by: Paul Carleton &lt;paulcarletonjr@gmail.com&gt;

---------

Co-authored-by: Paul Carleton &lt;paulcarletonjr@gmail.com&gt;
diff --git a/docs/specification/draft/basic/transports.mdx b/docs/specification/draft/basic/transports.mdx
@@ -202,6 +202,7 @@ servers which want to establish stateful sessions:
      securely generated UUID, a JWT, or a cryptographic hash).
    - The session ID **MUST** only contain visible ASCII characters (ranging from 0x21 to
      0x7E).
+   - The client **MUST** handle the session ID in a secure manner, see [Session Hijacking mitigations](/specification/draft/basic/security_best_practices#session-hijacking) for more details.
 2. If an `Mcp-Session-Id` is returned by the server during initialization, clients using
    the Streamable HTTP transport **MUST** include it in the `Mcp-Session-Id` header on
    all of their subsequent HTTP requests.
