Jump to solution
Verify

aiohttp google's invalid g_state cookies cause aiohttp to stop parsing cookies after it (Fix)

Fixed
Spec
Package
aiohttp
Python
3.11.1
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.62
#11632 ai auth caching Updated: 2026-02-13
Issue #11632

The Fix

Ensures that cookies are still parsed after encountering a malformed cookie, such as Google's g_state cookie with unescaped quotes.

Based on closed aio-libs/aiohttp issue #11632 · PR/commit linked

Jump to Verify Open PR/Commit
@@ -0,0 +1 @@ @@ -0,0 +1 @@ +Fixed cookie parser to continue parsing subsequent cookies when encountering a malformed cookie that fails regex validation, such as Google's ``g_state`` cookie with unescaped quotes -- by :user:`bdraco`. diff --git a/aiohttp/_cookie_helpers.py b/aiohttp/_cookie_helpers.py index 7fe8f43d12b..20a278b0d5b 100644
repro.py
Name: aiohttp Version: 3.12.15 Summary: Async http client/server framework (asyncio) Home-page: https://github.com/aio-libs/aiohttp Author: Author-email: License: Apache-2.0 AND MIT Location: /Users/alexmohr/.local/share/uv/venv/fbn.com/api/commodities/lib/python3.11/site-packages Requires: aiohappyeyeballs, aiosignal, attrs, frozenlist, multidict, propcache, yarl
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Apply the official fix\nEnsures that cookies are still parsed after encountering a malformed cookie, such as Google's g_state cookie with unescaped quotes.\nWhen NOT to use: This fix should not be used if strict cookie parsing is required for security reasons.\n\n

Why This Fix Works in Production

  • Trigger: self.assertEqual(resp.status, 200)
  • Mechanism: Malformed cookies, like Google's g_state, cause aiohttp to stop parsing subsequent cookies
Production impact:
  • If left unfixed, this can cause silent data inconsistencies that propagate (bad cache entries, incorrect downstream decisions).

Why This Breaks in Prod

  • Shows up under Python 3.11.1 in real deployments (not just unit tests).
  • Malformed cookies, like Google's g_state, cause aiohttp to stop parsing subsequent cookies
  • Production symptom (often without a traceback): self.assertEqual(resp.status, 200)

Proof / Evidence

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“I tested 3.13 after I saw https://github.com/aio-libs/aiohttp/pull/11112 however it does not fix the issue. Note that the above test is from our real world server…”
@thehesiod · 2025-10-10 · source
“Any chance you could make an xfail test in a PR? Maybe @bdraco wants to check this one too, following that previous PR.”
@Dreamsorcerer · 2025-10-14 · source
“@Dreamsorcerer https://github.com/aio-libs/aiohttp/pull/11651.”
@thehesiod · 2025-10-14 · source
“btw not sure why that pr is failing, it simply adds a test, doesn't seem like it needs any documentation”
@thehesiod · 2025-10-14 · source

Failure Signature (Search String)

  • self.assertEqual(resp.status, 200)
  • ```python-traceback
Copy-friendly signature
signature.txt
Failure Signature ----------------- self.assertEqual(resp.status, 200) ```python-traceback

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- self.assertEqual(resp.status, 200) ```python-traceback

Minimal Reproduction

repro.py
Name: aiohttp Version: 3.12.15 Summary: Async http client/server framework (asyncio) Home-page: https://github.com/aio-libs/aiohttp Author: Author-email: License: Apache-2.0 AND MIT Location: /Users/alexmohr/.local/share/uv/venv/fbn.com/api/commodities/lib/python3.11/site-packages Requires: aiohappyeyeballs, aiosignal, attrs, frozenlist, multidict, propcache, yarl

Environment

  • Python: 3.11.1

What Broke

Cookies after g_state are not returned, leading to incomplete cookie data.

Why It Broke

Malformed cookies, like Google's g_state, cause aiohttp to stop parsing subsequent cookies

Fix Options (Details)

Option A — Apply the official fix

Ensures that cookies are still parsed after encountering a malformed cookie, such as Google's g_state cookie with unescaped quotes.

When NOT to use: This fix should not be used if strict cookie parsing is required for security reasons.

Fix reference: https://github.com/aio-libs/aiohttp/pull/11724

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix should not be used if strict cookie parsing is required for security reasons.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
  • Pin production dependencies and upgrade only with a reproducible test that hits the failing path.

Related Issues

No related fixes found.

Cluster: aiohttp:data-consistency All hubs All clusters
Related clusters: Configuration error Race condition Auth

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #11632. Not affiliated with the library maintainers. Verify before production use.