Persist only the minimum state required, tie it to a known client identity, and make it fully auditable. If the session can carry context across multiple requests, then ownership, logging, and expiry must be designed as part of the transport rather than added later.
Why This Matters for Security Teams
MCP session state becomes a blind spot when teams treat it like harmless transport metadata instead of a live authorisation boundary. A session can hold tool permissions, user context, cached prompts, and downstream references long after the original request has ended. That creates a gap between what the application thinks is happening and what the transport still allows.
This matters because session state often outlives the control that created it. If expiry, ownership, and audit trail are not first-class properties, the session can be replayed, inherited, or expanded in ways that bypass normal review. NHI Management Group research on Ultimate Guide to NHIs shows how easily identity sprawl turns into operational risk, and the same pattern appears in MCP when state is persisted without strict scope. OWASP’s OWASP Non-Human Identity Top 10 reinforces that non-human access must be explicitly bounded, not assumed safe because it is machine-to-machine.
In practice, many security teams encounter MCP session abuse only after a shared session has already been reused across tools or an incident review cannot reconstruct who had access to what.
How It Works in Practice
The safest pattern is to minimise state, bind it to a verified client identity, and make every state transition auditable. In MCP terms, that means the server should not store broad, reusable session context unless it is required for the workflow. Where state must persist, it should be tied to a known workload identity, user identity, or delegated token chain so the session is attributable at all times.
Current guidance suggests treating session state as part of the authorisation system rather than a convenience layer. That means:
- Issuing short-lived session identifiers with strict expiry and revocation.
- Storing only the minimum context needed for the next request, not a reusable access bundle.
- Recording ownership, tool scope, and state changes in immutable logs.
- Validating each request against the active session state, not the initial handshake alone.
- Linking session state to workload identity patterns such as SPIFFE or OIDC where appropriate.
This is consistent with the direction of the OWASP Agentic AI Top 10, which emphasises runtime controls for dynamic systems, and with NIST’s broader risk-based approach in the AI Risk Management Framework. For MCP-specific risk, NHI Management Group’s Analysis of Claude Code Security is useful because it shows how tool-enabled systems can quietly accumulate privilege when state is not tightly controlled. In one recent industry report, only 18% of MCP server deployments implemented any form of access scoping for tool permissions, which is a strong indicator that session state is often carrying more privilege than teams realise.
These controls tend to break down when multiple agents, shared service accounts, or long-running jobs reuse the same session across divergent tool calls because the original authorisation context no longer matches the active request.
Common Variations and Edge Cases
Tighter session controls often increase operational overhead, requiring organisations to balance traceability against developer convenience and throughput. That tradeoff becomes real in long-running workflows, streaming interactions, and human-in-the-loop approvals, where the session may need to survive longer than a single request without becoming a standing access channel.
Best practice is evolving for these cases. There is no universal standard for how much MCP context should be persisted, but the current direction is clear: persist only what is necessary, re-check authorisation on each meaningful state change, and expire anything that cannot be justified by workflow continuity. Shared gateways and proxy layers should not be allowed to aggregate trust silently, because they can turn one scoped session into a broad access lane.
This is also where NHIs and agentic systems converge. The same identity hygiene that applies to secrets and service accounts in the 52 NHI Breaches Analysis applies to MCP sessions: if you cannot prove who owns the state, you cannot prove what it was allowed to do. The practical answer is to make session expiry visible, ownership explicit, and audit trails complete before the system is put into production.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Session state must be bound to a verified non-human identity. |
| OWASP Agentic AI Top 10 | A1 | Agentic systems can reuse session context across unsafe tool calls. |
| NIST AI RMF | AI RMF addresses governance, traceability, and accountability for dynamic AI systems. |
Establish ownership, logging, and review for every session that carries agent context.
Related resources from NHI Mgmt Group
- How can organisations keep directory-based access under control?
- How should organisations build DNS disaster recovery into identity and access planning?
- How should organisations decide between VPNs and application-level access controls?
- How do security teams know whether an AI gateway is becoming a control plane risk?
