3.12.13

Bug fixes

• Fixed auto-created :py:class:~aiohttp.TCPConnector not using the session's event loop when :py:class:~aiohttp.ClientSession is created without an explicit connector -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11147.

---

3.12.12

Bug fixes

• Fixed cookie unquoting to properly handle octal escape sequences in cookie values (e.g., \012 for newline) by vendoring the correct _unquote implementation from Python's http.cookies module -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11173.

• Fixed Cookie header parsing to treat attribute names as regular cookies per :rfc:6265#section-5.4 -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11178.

---

3.12.11

Features

• Improved SSL connection handling by changing the default ssl_shutdown_timeout
  from 0.1 to 0 seconds. SSL connections now use Python's default graceful
  shutdown during normal operation but are aborted immediately when the connector
  is closed, providing optimal behavior for both cases. Also added support for
  ssl_shutdown_timeout=0 on all Python versions. Previously, this value was
  rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
  Python < 3.11 now trigger a RuntimeWarning -- by :user:bdraco.

  The ssl_shutdown_timeout parameter is now deprecated and will be removed in
  aiohttp 4.0 as there is no clear use case for changing the default.

  Related issues and pull requests on GitHub:
  #11148.

Deprecations (removal in next major release)

• Improved SSL connection handling by changing the default ssl_shutdown_timeout
  from 0.1 to 0 seconds. SSL connections now use Python's default graceful
  shutdown during normal operation but are aborted immediately when the connector
  is closed, providing optimal behavior for both cases. Also added support for
  ssl_shutdown_timeout=0 on all Python versions. Previously, this value was
  rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
  Python < 3.11 now trigger a RuntimeWarning -- by :user:bdraco.

  The ssl_shutdown_timeout parameter is now deprecated and will be removed in
  aiohttp 4.0 as there is no clear use case for changing the default.

  Related issues and pull requests on GitHub:
  #11148.

---

3.12.10

Bug fixes

• Fixed leak of aiodns.DNSResolver when :py:class:~aiohttp.TCPConnector is closed and no resolver was passed when creating the connector -- by :user:Tasssadar.

  This was a regression introduced in version 3.12.0 (:pr:10897).

  Related issues and pull requests on GitHub:
  #11150.

---

3.12.9

Bug fixes

• Fixed IOBasePayload and TextIOPayload reading entire files into memory when streaming large files -- by :user:bdraco.

  When using file-like objects with the aiohttp client, the entire file would be read into memory if the file size was provided in the Content-Length header. This could cause out-of-memory errors when uploading large files. The payload classes now correctly read data in chunks of READ_SIZE (64KB) regardless of the total content length.

  Related issues and pull requests on GitHub:
  #11138.

---

3.12.8

Features

• Added preemptive digest authentication to :class:~aiohttp.DigestAuthMiddleware -- by :user:bdraco.

  The middleware now reuses authentication credentials for subsequent requests to the same
  protection space, improving efficiency by avoiding extra authentication round trips.
  This behavior matches how web browsers handle digest authentication and follows
  :rfc:7616#section-3.6.

  Preemptive authentication is enabled by default but can be disabled by passing
  preemptive=False to the middleware constructor.

  Related issues and pull requests on GitHub:
  #11128, #11129.

---

3.12.7

Warning

This release fixes an issue where the quote_cookie parameter was not being properly respected for shared cookies (domain="", path=""). If your server does not handle quoted cookies correctly, you may need to disable cookie quoting by setting quote_cookie=False when creating your ClientSession or CookieJar.
See https://docs.aiohttp.org/en/stable/client_advanced.html#cookie-quoting-routine for details.

Bug fixes

• Fixed cookie parsing to be more lenient when handling cookies with special characters
  in names or values. Cookies with characters like {, }, and / in names are now
  accepted instead of causing a :exc:~http.cookies.CookieError and 500 errors. Additionally,
  cookies with mismatched quotes in values are now parsed correctly, and quoted cookie
  values are now handled consistently whether or not they include special attributes
  like Domain. Also fixed :class:~aiohttp.CookieJar to ensure shared cookies (domain="", path="")
  respect the quote_cookie parameter, making cookie quoting behavior consistent for
  all cookies -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #2683, #5397, #7993, #11112.

• Fixed an issue where cookies with duplicate names but different domains or paths
  were lost when updating the cookie jar. The :class:~aiohttp.ClientSession
  cookie jar now correctly stores all cookies even if they have the same name but
  different domain or path, following the :rfc:6265#section-5.3 storage model -- by :user:bdraco.

  Note that :attr:ClientResponse.cookies <aiohttp.ClientResponse.cookies> returns
  a :class:~http.cookies.SimpleCookie which uses the cookie name as a key, so
  only the last cookie with each name is accessible via this interface. All cookies
  can be accessed via :meth:ClientResponse.headers.getall('Set-Cookie') <multidict.MultiDictProxy.getall> if needed.

  Related issues and pull requests on GitHub:
  #4486, #11105, #11106.

Miscellaneous internal changes

• Avoided creating closed futures in ResponseHandler that will never be awaited -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11107.

• Downgraded the logging level for connector close errors from ERROR to DEBUG, as these are expected behavior with TLS 1.3 connections -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11114.

---

3.12.7rc0

Bug fixes

• Fixed cookie parsing to be more lenient when handling cookies with special characters
  in names or values. Cookies with characters like {, }, and / in names are now
  accepted instead of causing a :exc:~http.cookies.CookieError and 500 errors. Additionally,
  cookies with mismatched quotes in values are now parsed correctly, and quoted cookie
  values are now handled consistently whether or not they include special attributes
  like Domain. Also fixed :class:~aiohttp.CookieJar to ensure shared cookies (domain="", path="")
  respect the quote_cookie parameter, making cookie quoting behavior consistent for
  all cookies -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #2683, #5397, #7993, #11112.

• Fixed an issue where cookies with duplicate names but different domains or paths
  were lost when updating the cookie jar. The :class:~aiohttp.ClientSession
  cookie jar now correctly stores all cookies even if they have the same name but
  different domain or path, following the :rfc:6265#section-5.3 storage model -- by :user:bdraco.

  Note that :attr:ClientResponse.cookies <aiohttp.ClientResponse.cookies> returns
  a :class:~http.cookies.SimpleCookie which uses the cookie name as a key, so
  only the last cookie with each name is accessible via this interface. All cookies
  can be accessed via :meth:ClientResponse.headers.getall('Set-Cookie') <multidict.MultiDictProxy.getall> if needed.

  Related issues and pull requests on GitHub:
  #4486, #11105, #11106.

Miscellaneous internal changes

• Avoided creating closed futures in ResponseHandler that will never be awaited -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11107.

• Downgraded the logging level for connector close errors from ERROR to DEBUG, as these are expected behavior with TLS 1.3 connections -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11114.

---

3.12.6

Bug fixes

• Fixed spurious "Future exception was never retrieved" warnings for connection lost errors when the connector is not closed -- by :user:bdraco.

  When connections are lost, the exception is now marked as retrieved since it is always propagated through other means, preventing unnecessary warnings in logs.

  Related issues and pull requests on GitHub:
  #11100.

---

3.12.5

This release failed to upload to PyPI because sigstore failed with 502 Server Error: Bad Gateway for url: https://rekor.sigstore.dev/api/v1/log/entries/. A new release will need to be made.

Features

• Added ssl_shutdown_timeout parameter to :py:class:~aiohttp.ClientSession and :py:class:~aiohttp.TCPConnector to control the grace period for SSL shutdown handshake on TLS connections. This helps prevent "connection reset" errors on the server side while avoiding excessive delays during connector cleanup. Note: This parameter only takes effect on Python 3.11+ -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11091, #11094.

Miscellaneous internal changes

• Improved performance of isinstance checks by using collections.abc types instead of typing module equivalents -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11085, #11088.

---