Releases: aio-libs/aiohttp
3.12.11
Features
-
Improved SSL connection handling by changing the default
ssl_shutdown_timeout
from0.1to0seconds. SSL connections now use Python's default graceful
shutdown during normal operation but are aborted immediately when the connector
is closed, providing optimal behavior for both cases. Also added support for
ssl_shutdown_timeout=0on all Python versions. Previously, this value was
rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
Python < 3.11 now trigger aRuntimeWarning-- by :user:bdraco.The
ssl_shutdown_timeoutparameter is now deprecated and will be removed in
aiohttp 4.0 as there is no clear use case for changing the default.Related issues and pull requests on GitHub:
#11148.
Deprecations (removal in next major release)
-
Improved SSL connection handling by changing the default
ssl_shutdown_timeout
from0.1to0seconds. SSL connections now use Python's default graceful
shutdown during normal operation but are aborted immediately when the connector
is closed, providing optimal behavior for both cases. Also added support for
ssl_shutdown_timeout=0on all Python versions. Previously, this value was
rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
Python < 3.11 now trigger aRuntimeWarning-- by :user:bdraco.The
ssl_shutdown_timeoutparameter is now deprecated and will be removed in
aiohttp 4.0 as there is no clear use case for changing the default.Related issues and pull requests on GitHub:
#11148.
3.12.10
3.12.9
Bug fixes
-
Fixed
IOBasePayloadandTextIOPayloadreading entire files into memory when streaming large files -- by :user:bdraco.When using file-like objects with the aiohttp client, the entire file would be read into memory if the file size was provided in the
Content-Lengthheader. This could cause out-of-memory errors when uploading large files. The payload classes now correctly read data in chunks ofREAD_SIZE(64KB) regardless of the total content length.Related issues and pull requests on GitHub:
#11138.
3.12.8
Features
-
Added preemptive digest authentication to :class:
~aiohttp.DigestAuthMiddleware-- by :user:bdraco.The middleware now reuses authentication credentials for subsequent requests to the same
protection space, improving efficiency by avoiding extra authentication round trips.
This behavior matches how web browsers handle digest authentication and follows
:rfc:7616#section-3.6.Preemptive authentication is enabled by default but can be disabled by passing
preemptive=Falseto the middleware constructor.
3.12.7
Warning
This release fixes an issue where the quote_cookie parameter was not being properly respected for shared cookies (domain="", path=""). If your server does not handle quoted cookies correctly, you may need to disable cookie quoting by setting quote_cookie=False when creating your ClientSession or CookieJar.
See https://docs.aiohttp.org/en/stable/client_advanced.html#cookie-quoting-routine for details.
Bug fixes
-
Fixed cookie parsing to be more lenient when handling cookies with special characters
in names or values. Cookies with characters like{,}, and/in names are now
accepted instead of causing a :exc:~http.cookies.CookieErrorand 500 errors. Additionally,
cookies with mismatched quotes in values are now parsed correctly, and quoted cookie
values are now handled consistently whether or not they include special attributes
likeDomain. Also fixed :class:~aiohttp.CookieJarto ensure shared cookies (domain="", path="")
respect thequote_cookieparameter, making cookie quoting behavior consistent for
all cookies -- by :user:bdraco.Related issues and pull requests on GitHub:
#2683, #5397, #7993, #11112. -
Fixed an issue where cookies with duplicate names but different domains or paths
were lost when updating the cookie jar. The :class:~aiohttp.ClientSession
cookie jar now correctly stores all cookies even if they have the same name but
different domain or path, following the :rfc:6265#section-5.3storage model -- by :user:bdraco.Note that :attr:
ClientResponse.cookies <aiohttp.ClientResponse.cookies>returns
a :class:~http.cookies.SimpleCookiewhich uses the cookie name as a key, so
only the last cookie with each name is accessible via this interface. All cookies
can be accessed via :meth:ClientResponse.headers.getall('Set-Cookie') <multidict.MultiDictProxy.getall>if needed.Related issues and pull requests on GitHub:
#4486, #11105, #11106.
Miscellaneous internal changes
-
Avoided creating closed futures in
ResponseHandlerthat will never be awaited -- by :user:bdraco.Related issues and pull requests on GitHub:
#11107. -
Downgraded the logging level for connector close errors from ERROR to DEBUG, as these are expected behavior with TLS 1.3 connections -- by :user:
bdraco.Related issues and pull requests on GitHub:
#11114.
3.12.7rc0
bdraco
J. Nick Koston
Bug fixes
-
Fixed cookie parsing to be more lenient when handling cookies with special characters
in names or values. Cookies with characters like{,}, and/in names are now
accepted instead of causing a :exc:~http.cookies.CookieErrorand 500 errors. Additionally,
cookies with mismatched quotes in values are now parsed correctly, and quoted cookie
values are now handled consistently whether or not they include special attributes
likeDomain. Also fixed :class:~aiohttp.CookieJarto ensure shared cookies (domain="", path="")
respect thequote_cookieparameter, making cookie quoting behavior consistent for
all cookies -- by :user:bdraco.Related issues and pull requests on GitHub:
#2683, #5397, #7993, #11112. -
Fixed an issue where cookies with duplicate names but different domains or paths
were lost when updating the cookie jar. The :class:~aiohttp.ClientSession
cookie jar now correctly stores all cookies even if they have the same name but
different domain or path, following the :rfc:6265#section-5.3storage model -- by :user:bdraco.Note that :attr:
ClientResponse.cookies <aiohttp.ClientResponse.cookies>returns
a :class:~http.cookies.SimpleCookiewhich uses the cookie name as a key, so
only the last cookie with each name is accessible via this interface. All cookies
can be accessed via :meth:ClientResponse.headers.getall('Set-Cookie') <multidict.MultiDictProxy.getall>if needed.Related issues and pull requests on GitHub:
#4486, #11105, #11106.
Miscellaneous internal changes
-
Avoided creating closed futures in
ResponseHandlerthat will never be awaited -- by :user:bdraco.Related issues and pull requests on GitHub:
#11107. -
Downgraded the logging level for connector close errors from ERROR to DEBUG, as these are expected behavior with TLS 1.3 connections -- by :user:
bdraco.Related issues and pull requests on GitHub:
#11114.
3.12.6
Bug fixes
-
Fixed spurious "Future exception was never retrieved" warnings for connection lost errors when the connector is not closed -- by :user:
bdraco.When connections are lost, the exception is now marked as retrieved since it is always propagated through other means, preventing unnecessary warnings in logs.
Related issues and pull requests on GitHub:
#11100.
3.12.5
This release failed to upload to PyPI because sigstore failed with 502 Server Error: Bad Gateway for url: https://rekor.sigstore.dev/api/v1/log/entries/. A new release will need to be made.
Features
-
Added
ssl_shutdown_timeoutparameter to :py:class:~aiohttp.ClientSessionand :py:class:~aiohttp.TCPConnectorto control the grace period for SSL shutdown handshake on TLS connections. This helps prevent "connection reset" errors on the server side while avoiding excessive delays during connector cleanup. Note: This parameter only takes effect on Python 3.11+ -- by :user:bdraco.
Miscellaneous internal changes
-
Improved performance of isinstance checks by using collections.abc types instead of typing module equivalents -- by :user:
bdraco.