[Server] Malformed or duplicate `Mcp-Session-Id` headers cause HTTP 500 responses

[cclabadmin]

Describe the bug

The PHP SDK Streamable HTTP server returns HTTP 500 for malformed or duplicate Mcp-Session-Id inputs. Since these inputs come from client-supplied request metadata, I would expect them to be rejected as client/transport errors, rather than surfacing as internal server errors.

Tested with:

• PHP SDK: reproduced with stable release v0.6.0 (433c84b58af346dd32f15f9909679e96a46ebe23)
• Transport: Streamable HTTP

To Reproduce

1. Start a PHP SDK Streamable HTTP server.
2. Complete a normal initialization flow.
3. Send a valid JSON-RPC request, such as tools/list, with a malformed Mcp-Session-Id.
4. Repeat with a wrong-format session id and with duplicate Mcp-Session-Id headers.

Representative request:

POST /mcp HTTP/1.1
Content-Type: application/json
Accept: application/json, text/event-stream
Mcp-Session-Id: {"not":"a-token"}

{"jsonrpc":"2.0","id":"session-id-repro","method":"tools/list","params":{}}

For the duplicate case, send two Mcp-Session-Id headers on the same request.

Expected behavior

The MCP specification explicitly uses 400 Bad Request for missing required session ids and 404 Not Found for requests containing a terminated session id. It does not appear to explicitly define the status code for malformed or duplicate Mcp-Session-Id headers, but those inputs are client-supplied request metadata, so I would expect a 4xx rejection rather than 500 Internal Server Error.

Logs

Case	HTTP status
malformed Mcp-Session-Id (e.g. JSON object)	500
wrong-format Mcp-Session-Id (e.g. non-ASCII)	500
duplicate Mcp-Session-Id headers	500
stale but well-formed Mcp-Session-Id	404
omitted Mcp-Session-Id	400

The last two rows show that some session-id validation paths already return 4xx responses. The 500 responses appear to be specific to malformed or duplicate session-id header inputs.