Releases: aio-libs/aiohttp
3.12.8
Features
-
Added preemptive digest authentication to :class:
~aiohttp.DigestAuthMiddleware-- by :user:bdraco.The middleware now reuses authentication credentials for subsequent requests to the same
protection space, improving efficiency by avoiding extra authentication round trips.
This behavior matches how web browsers handle digest authentication and follows
:rfc:7616#section-3.6.Preemptive authentication is enabled by default but can be disabled by passing
preemptive=Falseto the middleware constructor.
3.12.7
Warning
This release fixes an issue where the quote_cookie parameter was not being properly respected for shared cookies (domain="", path=""). If your server does not handle quoted cookies correctly, you may need to disable cookie quoting by setting quote_cookie=False when creating your ClientSession or CookieJar.
See https://docs.aiohttp.org/en/stable/client_advanced.html#cookie-quoting-routine for details.
Bug fixes
-
Fixed cookie parsing to be more lenient when handling cookies with special characters
in names or values. Cookies with characters like{,}, and/in names are now
accepted instead of causing a :exc:~http.cookies.CookieErrorand 500 errors. Additionally,
cookies with mismatched quotes in values are now parsed correctly, and quoted cookie
values are now handled consistently whether or not they include special attributes
likeDomain. Also fixed :class:~aiohttp.CookieJarto ensure shared cookies (domain="", path="")
respect thequote_cookieparameter, making cookie quoting behavior consistent for
all cookies -- by :user:bdraco.Related issues and pull requests on GitHub:
#2683, #5397, #7993, #11112. -
Fixed an issue where cookies with duplicate names but different domains or paths
were lost when updating the cookie jar. The :class:~aiohttp.ClientSession
cookie jar now correctly stores all cookies even if they have the same name but
different domain or path, following the :rfc:6265#section-5.3storage model -- by :user:bdraco.Note that :attr:
ClientResponse.cookies <aiohttp.ClientResponse.cookies>returns
a :class:~http.cookies.SimpleCookiewhich uses the cookie name as a key, so
only the last cookie with each name is accessible via this interface. All cookies
can be accessed via :meth:ClientResponse.headers.getall('Set-Cookie') <multidict.MultiDictProxy.getall>if needed.Related issues and pull requests on GitHub:
#4486, #11105, #11106.
Miscellaneous internal changes
-
Avoided creating closed futures in
ResponseHandlerthat will never be awaited -- by :user:bdraco.Related issues and pull requests on GitHub:
#11107. -
Downgraded the logging level for connector close errors from ERROR to DEBUG, as these are expected behavior with TLS 1.3 connections -- by :user:
bdraco.Related issues and pull requests on GitHub:
#11114.
3.12.7rc0
bdraco
J. Nick Koston
Bug fixes
-
Fixed cookie parsing to be more lenient when handling cookies with special characters
in names or values. Cookies with characters like{,}, and/in names are now
accepted instead of causing a :exc:~http.cookies.CookieErrorand 500 errors. Additionally,
cookies with mismatched quotes in values are now parsed correctly, and quoted cookie
values are now handled consistently whether or not they include special attributes
likeDomain. Also fixed :class:~aiohttp.CookieJarto ensure shared cookies (domain="", path="")
respect thequote_cookieparameter, making cookie quoting behavior consistent for
all cookies -- by :user:bdraco.Related issues and pull requests on GitHub:
#2683, #5397, #7993, #11112. -
Fixed an issue where cookies with duplicate names but different domains or paths
were lost when updating the cookie jar. The :class:~aiohttp.ClientSession
cookie jar now correctly stores all cookies even if they have the same name but
different domain or path, following the :rfc:6265#section-5.3storage model -- by :user:bdraco.Note that :attr:
ClientResponse.cookies <aiohttp.ClientResponse.cookies>returns
a :class:~http.cookies.SimpleCookiewhich uses the cookie name as a key, so
only the last cookie with each name is accessible via this interface. All cookies
can be accessed via :meth:ClientResponse.headers.getall('Set-Cookie') <multidict.MultiDictProxy.getall>if needed.Related issues and pull requests on GitHub:
#4486, #11105, #11106.
Miscellaneous internal changes
-
Avoided creating closed futures in
ResponseHandlerthat will never be awaited -- by :user:bdraco.Related issues and pull requests on GitHub:
#11107. -
Downgraded the logging level for connector close errors from ERROR to DEBUG, as these are expected behavior with TLS 1.3 connections -- by :user:
bdraco.Related issues and pull requests on GitHub:
#11114.
3.12.6
Bug fixes
-
Fixed spurious "Future exception was never retrieved" warnings for connection lost errors when the connector is not closed -- by :user:
bdraco.When connections are lost, the exception is now marked as retrieved since it is always propagated through other means, preventing unnecessary warnings in logs.
Related issues and pull requests on GitHub:
#11100.
3.12.5
This release failed to upload to PyPI because sigstore failed with 502 Server Error: Bad Gateway for url: https://rekor.sigstore.dev/api/v1/log/entries/. A new release will need to be made.
Features
-
Added
ssl_shutdown_timeoutparameter to :py:class:~aiohttp.ClientSessionand :py:class:~aiohttp.TCPConnectorto control the grace period for SSL shutdown handshake on TLS connections. This helps prevent "connection reset" errors on the server side while avoiding excessive delays during connector cleanup. Note: This parameter only takes effect on Python 3.11+ -- by :user:bdraco.
Miscellaneous internal changes
-
Improved performance of isinstance checks by using collections.abc types instead of typing module equivalents -- by :user:
bdraco.
3.12.4
3.12.3
3.12.2
Bug fixes
-
Fixed
Content-Lengthheader not being set to0for non-GET requests withNonebody -- by :user:bdraco.Non-GET requests (
POST,PUT,PATCH,DELETE) withNoneas the body now correctly set theContent-Lengthheader to0, matching the behavior of requests with empty bytes (b""). This regression was introduced in aiohttp 3.12.1.Related issues and pull requests on GitHub:
#11035.
3.12.1
Features
-
Added support for reusable request bodies to enable retries, redirects, and digest authentication -- by :user:
bdracoand :user:GLGDLY.Most payloads can now be safely reused multiple times, fixing long-standing issues where POST requests with form data or file uploads would fail on redirects with errors like "Form data has been processed already" or "I/O operation on closed file". This also enables digest authentication to work with request bodies and allows retry mechanisms to resend requests without consuming the payload. Note that payloads derived from async iterables may still not be reusable in some cases.
Related issues and pull requests on GitHub:
#5530, #5577, #9201, #11017.
3.12.1rc0
Features
-
Added support for reusable request bodies to enable retries, redirects, and digest authentication -- by :user:
bdracoand :user:GLGDLY.Most payloads can now be safely reused multiple times, fixing long-standing issues where POST requests with form data or file uploads would fail on redirects with errors like "Form data has been processed already" or "I/O operation on closed file". This also enables digest authentication to work with request bodies and allows retry mechanisms to resend requests without consuming the payload. Note that payloads derived from async iterables may still not be reusable in some cases.
Related issues and pull requests on GitHub:
#5530, #5577, #9201, #11017.