Currently, the HTTP Scheduler API has no concept of Sessions aka SessionID or a TokenID. This is useful in some failure scenarios. As of now, if a framework fails over and then subscribes again with the same FrameworkID with the force option set, the Mesos master would subscribe it.
If the previous instance of the framework/scheduler tries to send a Call , e.g. Call::KILL with the same previous FrameworkID set, it would be still accepted by the master leading to erroneously killing a task.
This is possible because we do not have a way currently of distinguishing connections. It used to work in the previous driver implementation due to the master also performing a UPID check to verify if they matched and only then allowing the call. Following the design process, we will implemented "stream IDs" for Mesos HTTP schedulers; each ID will be associated with a single subscription connection, and the scheduler must include it as a header in all non-subscribe calls sent to the master.