FIX messages should never be missing SenderCompID
and TargetCompID
in the header. Whoever is sending that to you is sending you an invalid FIX message.
I can't explain why your QF engine is not rejecting this "D" message. Maybe you have disabled some validation checks in your config. (Or maybe the C++ version of QF doesn't validate those fields the same way as the other QF ports do.)
I suspect, however, that your original Login message/response had the correct IDs, and your engine used those IDs to identify the socket that it setup for your session. After the socket was set up, it stopped verifying the IDs. To be honest, it doesn't really need to on a TCP socket -- once the session is established, any message received on that socket must be part of the same session.
So, to your question, the answer is "No", you should not have to keep track of session names. This situation is highly irregular. Your counterparty is sending you bad messages.
To work around this, though, you can just look at the SessionID that is passed into the QF callbacks. That'll tell you which session this message came from.