Jump to solution
Verify

aiohttp aiohttp ignoring cookie_jar quote_cookie parameter (Fix)

Fixed
Spec
Package
aiohttp
Python
3.9.6
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.63
#9336 ai Updated: 2026-02-13
Issue #9336

The Fix

Reuses the `quote_cookie` setting from the ClientSession's cookie jar when creating a temporary CookieJar in the request method, addressing the issue where cookies were incorrectly quoted.

Based on closed aio-libs/aiohttp issue #9336 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit
@@ -0,0 +1,2 @@ @@ -0,0 +1,2 @@ +Update :py:meth:`~aiohttp.ClientSession.request` to reuse the ``quote_cookie`` setting from ``ClientSession._cookie_jar`` when processing cookies parameter. +-- by :user:`Cycloctane`. diff --git a/aiohttp/abc.py b/aiohttp/abc.py
repro.py
import aiohttp import asyncio async def req(): tcp_conn = aiohttp.TCPConnector(limit=10, force_close=True) c_jar = aiohttp.CookieJar(quote_cookie=False) sess = aiohttp.ClientSession(connector=tcp_conn, cookie_jar=c_jar) cookies = {"name": "val="} resp = await sess.request(url="http://localhost:8000/", method="GET", cookies=cookies) print(resp.request_info.headers.get("Cookie")) # name="val=" await sess.close() asyncio.run(req())
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Apply the official fix\nReuses the `quote_cookie` setting from the ClientSession's cookie jar when creating a temporary CookieJar in the request method, addressing the issue where cookies were incorrectly quoted.\nWhen NOT to use: Do not use this fix if cookie quoting behavior is required for compliance with cookie standards.\n\n

Why This Fix Works in Production

  • Trigger: ```python-traceback
  • Mechanism: The ClientSession's temporary CookieJar defaults to quoting cookies, ignoring the quote_cookie setting
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • Shows up under Python 3.9.6 in real deployments (not just unit tests).
  • The ClientSession's temporary CookieJar defaults to quoting cookies, ignoring the quote_cookie setting
  • Production symptom (often without a traceback): ```python-traceback

Proof / Evidence

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“Please create a complete reproducer (or better, a failing test in a PR).”
@Dreamsorcerer · 2024-09-29 · source
“ClientSession()._request() creates a temporary CookieJar tmp_cookie_jar to handle the cookies from the request() parameters”
@Cycloctane · 2024-10-04 · source
“So, perhaps we should be reusing the settings from the global CookieJar. Think you could turn that into a full test?”
@Dreamsorcerer · 2024-10-04 · source
“> So, perhaps we should be reusing the settings from the global CookieJar. Think you could turn that into a full test? I wonder how…”
@Cycloctane · 2024-12-02 · source

Failure Signature (Search String)

  • ```python-traceback
  • Probably. Could also use private attributes if it doesn't make sense to be part of the public API.
Copy-friendly signature
signature.txt
Failure Signature ----------------- ```python-traceback Probably. Could also use private attributes if it doesn't make sense to be part of the public API.

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- ```python-traceback Probably. Could also use private attributes if it doesn't make sense to be part of the public API.

Minimal Reproduction

repro.py
import aiohttp import asyncio async def req(): tcp_conn = aiohttp.TCPConnector(limit=10, force_close=True) c_jar = aiohttp.CookieJar(quote_cookie=False) sess = aiohttp.ClientSession(connector=tcp_conn, cookie_jar=c_jar) cookies = {"name": "val="} resp = await sess.request(url="http://localhost:8000/", method="GET", cookies=cookies) print(resp.request_info.headers.get("Cookie")) # name="val=" await sess.close() asyncio.run(req())

Environment

  • Python: 3.9.6

What Broke

Requests sent with unquoted cookies result in incorrect cookie headers.

Why It Broke

The ClientSession's temporary CookieJar defaults to quoting cookies, ignoring the quote_cookie setting

Fix Options (Details)

Option A — Apply the official fix

Reuses the `quote_cookie` setting from the ClientSession's cookie jar when creating a temporary CookieJar in the request method, addressing the issue where cookies were incorrectly quoted.

When NOT to use: Do not use this fix if cookie quoting behavior is required for compliance with cookie standards.

Fix reference: https://github.com/aio-libs/aiohttp/pull/10093

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • Do not use this fix if cookie quoting behavior is required for compliance with cookie standards.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
  • Pin production dependencies and upgrade only with a reproducible test that hits the failing path.

Related Issues

No related fixes found.

Cluster: aiohttp:configuration-error All hubs All clusters
Related clusters: Data consistency Race condition Auth

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #9336. Not affiliated with the library maintainers. Verify before production use.