The session id details seem mostly clear but
there's one area I'm not clear about.

When the server assigns a session id, does the
client then include that id in subsequent requests
within that session?

I assumed yes, but I inferred from Rob (K) that it
wasn't necessary. Maybe I mis-understood.

Assuming so: If the client doesn't support (or
care about) sessions, it won't include the session
id.  And (I think we've decided) the client isn't
going to request that a session id be assigned,
the server will do that unilaterally. So when the
server gets a request without a session id, it
will assume a new session, and will assign a new
session id, which the client won't use, etc. So
the server will assign a bunch of session ids that
won't be used. Is that a problem?  (In terms of
wasted resources.)