Use info level and truncate client-controlled session ID

maxisbey · maxisbey · commit 3041fd0b5c85 · 2026-03-06T16:50:33.000Z
- warning -> info: this is normal post-restart operation per spec, matches session lifecycle logs at :220 and :247 - truncate to 64 chars: unlike other session-ID logs in this file, this value is client-controlled input - add caplog assertion to existing 404 test Reported-by: Johnathan Oneal Github-Issue: #2204
diff --git a/src/mcp/server/streamable_http_manager.py b/src/mcp/server/streamable_http_manager.py
@@ -272,7 +272,7 @@ async def run_server(*, task_status: TaskStatus[None] = anyio.TASK_STATUS_IGNORE
             # Unknown or expired session ID - return 404 per MCP spec
             # TODO: Align error code once spec clarifies
             # See: https://github.com/modelcontextprotocol/python-sdk/issues/1821
-            logger.warning(f"Rejected request with unknown or expired session ID: {request_mcp_session_id}")
+            logger.info(f"Rejected request with unknown or expired session ID: {request_mcp_session_id[:64]}")
             error_response = JSONRPCError(
                 jsonrpc="2.0",
                 id=None,
diff --git a/tests/server/test_streamable_http_manager.py b/tests/server/test_streamable_http_manager.py
@@ -1,6 +1,7 @@
 """Tests for StreamableHTTPSessionManager."""
 
 import json
+import logging
 from typing import Any
 from unittest.mock import AsyncMock, patch
 
@@ -269,7 +270,7 @@ async def mock_receive():
 
 
 @pytest.mark.anyio
-async def test_unknown_session_id_returns_404():
+async def test_unknown_session_id_returns_404(caplog: pytest.LogCaptureFixture):
     """Test that requests with unknown session IDs return HTTP 404 per MCP spec."""
     app = Server("test-unknown-session")
     manager = StreamableHTTPSessionManager(app=app)
@@ -299,7 +300,8 @@ async def mock_send(message: Message):
         async def mock_receive():
             return {"type": "http.request", "body": b"{}", "more_body": False}  # pragma: no cover
 
-        await manager.handle_request(scope, mock_receive, mock_send)
+        with caplog.at_level(logging.INFO):
+            await manager.handle_request(scope, mock_receive, mock_send)
 
         # Find the response start message
         response_start = next(
@@ -315,6 +317,7 @@ async def mock_receive():
         assert error_data["id"] is None
         assert error_data["error"]["code"] == INVALID_REQUEST
         assert error_data["error"]["message"] == "Session not found"
+        assert "Rejected request with unknown or expired session ID: non-existent-session-id" in caplog.text
 
 
 @pytest.mark.anyio
