Client ignoring cookies when being set with confliciting expiration dates

[cinemascop89]

Describe the bug

When receiving a response with multiple Set-Cookie headers each containing the same cookie being set with different expiration dates, the client seems to ignore it if one of such expiration dates is in the past.

To Reproduce

Having a server that gives a response like:

HTTP/1.1 200 OK
Content-Length: 0
Content-Type: application/octet-stream
Date: Thu, 05 Jan 2023 21:57:14 GMT
Server: Python/3.10 aiohttp/3.8.1
Set-Cookie: Foo=bar; Secure; HttpOnly
Set-Cookie: Foo=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Secure; HttpOnly

And a client like:

    async with aiohttp.ClientSession() as client:
        await client.get('http://localhost:8070')
        print(client.cookie_jar._cookies)

We can see it outputs an empty cookiejar

defaultdict(<class 'http.cookies.SimpleCookie'>, {'localhost': <SimpleCookie: >})

Expected behavior

While I couldn't find what the "correct" behaviour should be in RFC 6265, this issue was detected while scraping a working website that does this, and the browser stores the cookie successfully. I was also able to validate that this is requests' behaviour too.

Logs/tracebacks

N/A

Python Version

$ python --version
Python 3.10.8

aiohttp Version

$ python -m pip show aiohttp
Name: aiohttp
Version: 3.8.3
Summary: Async http client/server framework (asyncio)
Home-page: https://github.com/aio-libs/aiohttp
Author: 
Author-email: 
License: Apache 2
Location: /home/eduardo/env/py3/lib/python3.10/site-packages
Requires: frozenlist, attrs, charset-normalizer, aiosignal, multidict, yarl, async-timeout
Required-by:

multidict Version

$ python -m pip show multidict
Name: multidict
Version: 5.2.0
Summary: multidict implementation
Home-page: https://github.com/aio-libs/multidict
Author: Andrew Svetlov
Author-email: andrew.svetlov@gmail.com
License: Apache 2
Location: /home/eduardo/env/py3/lib/python3.10/site-packages
Requires: 
Required-by: yarl, aiohttp

yarl Version

$ python -m pip show yarl
Name: yarl
Version: 1.7.2
Summary: Yet another URL library
Home-page: https://github.com/aio-libs/yarl/
Author: Andrew Svetlov
Author-email: andrew.svetlov@gmail.com
License: Apache 2
Location: /home/eduardo/env/py3/lib/python3.10/site-packages
Requires: idna, multidict
Required-by: aiohttp

OS

Arch Linux

Related component

Client

Additional context

No response

Code of Conduct

• I agree to follow the aio-libs Code of Conduct

[Dreamsorcerer]

Hmm, my reading suggests this is the right behaviour: https://www.rfc-editor.org/rfc/rfc6265.html#section-5.3

Step 11:

If the cookie store contains a cookie with the same name [...] Remove the old-cookie from the cookie store.

So, the second header should result in the cookie from the first header being removed.

Step 12:

The user agent MUST evict all expired cookies from the cookie store if, at any time, an expired cookie exists in the cookie store.

Then the new cookie gets removed as well.

I suspect for this case, you'd want to avoid the cookiejar and it's expiry logic, and instead use the headers directly.