Proposal: add StreamableHTTPOptions.GetUserID

[findleyr]

I propose that we add a new field to StreamableHTTPOptions that may be used to prevent session hijacking for servers that use authentication. Right now, in order to properly prevent session hijacking, server authors must associate an authenticated identity with a server session, which means they must maintain a map of session information. This is not obvious, and is liable to be implemented incorrectly. Since the StreamableHTTPHandler manages session information, it should be responsible for maintaining this association.

Therefore, I propose adding a new field GetUserID through which server authors can provide the user's identity:

type StreamableHTTPOptions struct{
  // If provided, GetUserID returns the user ID associated with this request.
  //
  // User IDs are associated with active sessions, and must match for all requests in the session.
  // For servers implementing authentication, it is strongly recommended that they set GetUserID
  // to help prevent session hijacking attacks:
  // https://modelcontextprotocol.io/specification/2025-06-18/basic/security_best_practices#mitigation-3
  GetUserID func(req *http.Request) string

  // … other fields
}

If accepted, we should also update our documentation on session hijacking to specifically recommend this setting.

[findleyr]

@jba points at that in too many authentication models, there is no user ID, so this is probably infeasible. Retracting for now until we resolve if this as worthwhile.