MCP Python SDK sessionId not maintained in browser with TypeScript SDK client

[waugmeiigaxaa]

please move this issue into modelcontextprotocol/typescript-sdk issue
issue

Initial Checks

• I confirm that I'm using the latest version of MCP Python SDK
• I confirm that I searched for my issue in https://github.com/modelcontextprotocol/python-sdk/issues before opening this issue

Description

[BUG] MCP Python SDK sessionId not maintained in browser with TypeScript SDK client

Issue: MCP Python SDK as Server, TypeScript SDK as Client – Node.js works, browser session management fails

Description

When using the official MCP Python SDK (fastmcp) as the server and the TypeScript SDK as the client, session management (mcp-session-id) works correctly in Node.js, but fails in browser environments. This results in repeated "Missing session ID" errors or lost sessions for every request.

Environment

• Server: MCP Python SDK (fastmcp), streamable_http_app, Starlette/uvicorn
• Client: TypeScript SDK (@modelcontextprotocol/sdk), StreamableHTTPClientTransport
• Node.js: Session management works out of the box
• Browser (React/Vitest): Session cannot be maintained
• All code is reverted to official logic, no monkey patching or custom fetch

Key Code Snippets

Server (http-server-streamable.py):

app = mcp.streamable_http_app()
app.add_middleware(
    CORSMiddleware,
    allow_origins=["http://localhost:3000"],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"]
)
uvicorn.run(app, host="127.0.0.1", port=8000)

Client (mcpService.ts):

// MCPService (browser and Node.js):
const transport = new StreamableHTTPClientTransport(new URL(this.url));
await mcp.connect(transport);
// In browser, MCPService does not automatically manage sessionId between requests.
// The first response from the server includes Mcp-Session-Id, but MCPService does not persist or inject it for subsequent requests.
// In Node.js, sessionId is managed via cookies and works as expected.

Test Case (mcp-streamable-browser.test.ts):

import { describe, it, expect } from 'vitest';
import { MCPService } from '../../../engine/service/mcpService';

describe('MCPService streamable http tool list', () => {
  it('should fetch tool list from MCP Python server', async () => {
    const mcp = new MCPService('http://127.0.0.1:8000/mcp', 'STREAMABLE_HTTP');
    const result = await Promise.race([
      mcp.listTools(),
      new Promise<{ data: null; error: string }>(resolve => setTimeout(() => resolve({ data: null, error: 'timeout' }), 5000))
    ]);
    const { data, error } = result as { data: any; error: any };
    console.log('Tool list:', data, error);
    console.log('SessionId:', mcp['transport']?.sessionId);
  });
});

Steps to Reproduce

1. Start MCP Python server with the CORS config above (expose_headers tried, but does not help).
2. The SDK makes two requests: the first response from the server includes a valid Mcp-Session-Id header, but the client does not send the sessionId in the header for the second request, causing session management to fail.
3. Same code in Node.js maintains sessionId correctly.

Expected Behavior

• Browser environment should maintain session just like Node.js, with mcp-session-id correctly read and reused, so all requests are in the same session.

Request

• Please confirm if there is a bug in the TypeScript SDK sessionId handling for browsers, or a compatibility issue in the Python SDK server.
• Please provide best practices or a fix for browser session management.

Log Output

Please see the following log output for reference:

1st fetch 200ok
{"method":"initialize","params":{"protocolVersion":"2025-06-18","capabilities":{},"clientInfo":{"name":"mcp-client","version":"1.0.0"}},"jsonrpc":"2.0","id":0}
response header
...
mcp-session-id:68709f581d3740ae82a3dcb523f0ac8c
...
request header (dont have mcp-session-id)
2st fetch 400 Bad Request
{"method":"notifications/initialized","jsonrpc":"2.0"}
{
    "jsonrpc": "2.0",
    "id": "server-error",
    "error": {
        "code": -32600,
        "message": "Bad Request: Missing session ID"
    }
}
response header
...
mcp-session-id:44295e965b524e97b45ccf6351201c13
...
request header (dont have mcp-session-id)


nodejs test log out 
Tool list: [ ... ] undefined ([explain,not test log] sucess get toollist,no error)
SessionId: a9911fbfa8fa4eb78dad791b2dddfc33

Python & MCP Python SDK

python 
python version 3.12
mcp 1.9.2

typescript
@modelcontextprotocol/sdk": "^1.13.0
node version v22.17.0

Other information

When both the MCP server and client use the official TypeScript SDK, session management works as expected.

[pritam-dey3]

I can confirm, I am facing the same issue.

[AbhilashPoshanagari]

I am also facing the same issue.

[mtch99]

I can confirm that I am facing a similar issue, using typsecipt sdk in a browser client and node js server.
In fact, the browser does not send back the mcp-session-id header in the second request (method: notifications/initialized)

[furquanuddin94]

I had the same issue, turned out the CORS server configuration wasn’t exposing the mcp-session-id header.
Fixed it by adding Access-Control-Expose-Headers: mcp-session-id

[BobDickinson]

I had the same issue, turned out the CORS server configuration wasn’t exposing the mcp-session-id header. Fixed it by adding Access-Control-Expose-Headers: mcp-session-id

THANK YOU @furquanuddin94! I chased this for 4 hours today. Node->Node worked fine, Browser->Node failed. Adding the cors exposeHeaders fixed it. I did not have any problems with SSE, just streamable.

app.use(cors({
    exposedHeaders: ['mcp-session-id', 'content-type', 'content-length']
}));

[christopherorea]

Yep, same issue here. An easy way to reproduce is by consuming from hugging face.
I know I can set my own session id

Regardless of this, my client it's not sending the header in the request

As its not saving or doing anything with that session id, on the exact next request, it sends another post, but without a session id.

Making it impossible for the server to respond back, as it doesn't send a session id...

I know the issue is inside client.connect when sending my transport as in the first image. The method is not sending the sessions Id. But, it saves the sessionId inside the StreamableHTTPClientTransport object

This is a console.log with the following data directTransport.sessionId

And just for you to track which client I'm talking about its a Client Object from @modelcontextprotocol/sdk/client/index.js

It looks like, now that is forced by the protocol, the transport session id looks like not having that feature implemented.

[furquanuddin94]

@christopherorea issue is still same. I just checked and huggingface mcp is not sending Access-Control-Expose-Headers in the preflight check.

[christopherorea]

@christopherorea issue is still same. I just checked and huggingface mcp is not sending Access-Control-Expose-Headers in the preflight check.

Doesn't need to, preflight doesn't require the session id. It's more for the browser to make a contact (CORS and that stuff)

Once the preflight is done, which i can confirm, the next step is the post method sent by a client.connect using a StreamableHTTPClientTransport (at least on http-stream) which returns a header from the server with Mcp-Session-Id.

The issue here is that, inside the client.connect object is not updating the Mcp-session-Id inside a transport even when the server sent it. That is why, the next time you try sending to a server that demands a session id it returns an error.

[furquanuddin94]

@christopherorea no, that's not what I meant.

Its a CORS issue, in the sense that MCP server needs to tell browser that what response headers are ok to expose to browser javascript.
That is what is done by Access-Control-Expose-Headers header in the preflight. You can check the above example in the comment as well.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Expose-Headers

[christopherorea]

@christopherorea no, that's not what I meant.

Its a CORS issue, in the sense that MCP server needs to tell browser that what response headers are ok to expose to browser javascript. That is what is done by Access-Control-Expose-Headers header in the preflight. You can check the above example in the comment as well.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Expose-Headers

I see... but to be 100% honest, that is just a quick fix but that wouldn't be a real long term solution:

First, you are making responsible to the server to send a preflight, when there might be thousands of different servers in the web, some with python, others in javascript... that won't solve the issue for Javascript SDKs

Second, SERVERS ARE SENDING A SESSION ID but the SDK code is not catching it!!!

If you look closer to the images i posted, you will see exactly what i mean with it. I didn't have to ask for any preflight to make the server to respond to me with the session id in the headers, thus making it possible to catch it and save it inside the StreamableHTTPClientTransport object.

[furquanuddin94]

CORS config is unrelated to MCPs and its built in browser for security purposes.

And from what I know, MCP was a local first protocol designed to mainly interact with native apps as clients.

If you still use MCP with native apps, no CORS setup is required. But with browser, MCP is equal to a remote server and calls to it needs to follow proper CORS config.

I hope that clarifies things a bit.

[xmseraph]

I am using starlette
starlette_app = CORSMiddleware(
starlette_app,
allow_origins=[""], # Allow all origins - adjust as needed for production
allow_methods=[""], # MCP streamable HTTP methods
allow_headers=["*"], # Allow all headers, is also required, otherwise expose_headers doesn't work.
expose_headers=["Mcp-Session-Id"],
)