Move session ID and background GET setup before SSE processing to prevent cancellation race

Copilot · stephentoub · Copilot · commit 0dea2cc177e0 · 2026-02-27T20:53:46.000Z
The McpSessionHandler.SendRequestAsync races the transport send against the
response TCS using Task.WhenAny. When the TCS completes during SSE stream
processing, the send task is cancelled. But SendHttpRequestAsync previously
set SessionId, _negotiatedProtocolVersion, and started _getReceiveTask AFTER
SSE processing (lines 136-148), so these critical side effects were lost.

Fix: extract SessionId from HTTP response headers and start _getReceiveTask
immediately after receiving a successful HTTP response for initialize requests,
before SSE content processing begins. The protocol version (from the response
body) is still set after SSE processing when possible.

Co-authored-by: stephentoub &lt;2642209+stephentoub@users.noreply.github.com&gt;

Co-authored-by: stephentoub &lt;2642209+stephentoub@users.noreply.github.com&gt;
diff --git a/src/ModelContextProtocol.Core/Client/StreamableHttpClientSessionTransport.cs b/src/ModelContextProtocol.Core/Client/StreamableHttpClientSessionTransport.cs
@@ -100,6 +100,21 @@ internal async Task<HttpResponseMessage> SendHttpRequestAsync(JsonRpcMessage mes
         }
 
         var rpcRequest = message as JsonRpcRequest;
+
+        // For initialize requests, capture session metadata from response headers immediately,
+        // before processing the response body. McpSessionHandler.SendRequestAsync races the
+        // transport send against the response TCS and may cancel this task once the response
+        // arrives during SSE stream processing, so session state must be set before that.
+        if (rpcRequest?.Method == RequestMethods.Initialize)
+        {
+            if (response.Headers.TryGetValues("Mcp-Session-Id", out var sessionIdValues))
+            {
+                SessionId = sessionIdValues.FirstOrDefault();
+            }
+
+            _getReceiveTask ??= ReceiveUnsolicitedMessagesAsync();
+        }
+
         JsonRpcMessageWithId? rpcResponseOrError = null;
 
         if (response.Content.Headers.ContentType?.MediaType == "application/json")
@@ -135,16 +150,8 @@ internal async Task<HttpResponseMessage> SendHttpRequestAsync(JsonRpcMessage mes
 
         if (rpcRequest.Method == RequestMethods.Initialize && rpcResponseOrError is JsonRpcResponse initResponse)
         {
-            // We've successfully initialized! Copy session-id and protocol version, then start GET request if any.
-            if (response.Headers.TryGetValues("Mcp-Session-Id", out var sessionIdValues))
-            {
-                SessionId = sessionIdValues.FirstOrDefault();
-            }
-
             var initializeResult = JsonSerializer.Deserialize(initResponse.Result, McpJsonUtilities.JsonContext.Default.InitializeResult);
             _negotiatedProtocolVersion = initializeResult?.ProtocolVersion;
-
-            _getReceiveTask ??= ReceiveUnsolicitedMessagesAsync();
         }
 
         return response;
