3.12.7

Bug fixes

• Fixed cookie parsing to be more lenient when handling cookies with special characters
  in names or values. Cookies with characters like {, }, and / in names are now
  accepted instead of causing a :exc:~http.cookies.CookieError and 500 errors. Additionally,
  cookies with mismatched quotes in values are now parsed correctly, and quoted cookie
  values are now handled consistently whether or not they include special attributes
  like Domain. Also fixed :class:~aiohttp.CookieJar to ensure shared cookies (domain="", path="")
  respect the quote_cookie parameter, making cookie quoting behavior consistent for
  all cookies -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #2683, #5397, #7993, #11112.

• Fixed an issue where cookies with duplicate names but different domains or paths
  were lost when updating the cookie jar. The :class:~aiohttp.ClientSession
  cookie jar now correctly stores all cookies even if they have the same name but
  different domain or path, following the :rfc:6265#section-5.3 storage model -- by :user:bdraco.

  Note that :attr:ClientResponse.cookies <aiohttp.ClientResponse.cookies> returns
  a :class:~http.cookies.SimpleCookie which uses the cookie name as a key, so
  only the last cookie with each name is accessible via this interface. All cookies
  can be accessed via :meth:ClientResponse.headers.getall('Set-Cookie') <multidict.MultiDictProxy.getall> if needed.

  Related issues and pull requests on GitHub:
  #4486, #11105, #11106.

Miscellaneous internal changes

• Avoided creating closed futures in ResponseHandler that will never be awaited -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11107.

• Downgraded the logging level for connector close errors from ERROR to DEBUG, as these are expected behavior with TLS 1.3 connections -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11114.

---

3.12.7rc0

Bug fixes

• Fixed cookie parsing to be more lenient when handling cookies with special characters
  in names or values. Cookies with characters like {, }, and / in names are now
  accepted instead of causing a :exc:~http.cookies.CookieError and 500 errors. Additionally,
  cookies with mismatched quotes in values are now parsed correctly, and quoted cookie
  values are now handled consistently whether or not they include special attributes
  like Domain. Also fixed :class:~aiohttp.CookieJar to ensure shared cookies (domain="", path="")
  respect the quote_cookie parameter, making cookie quoting behavior consistent for
  all cookies -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #2683, #5397, #7993, #11112.

• Fixed an issue where cookies with duplicate names but different domains or paths
  were lost when updating the cookie jar. The :class:~aiohttp.ClientSession
  cookie jar now correctly stores all cookies even if they have the same name but
  different domain or path, following the :rfc:6265#section-5.3 storage model -- by :user:bdraco.

  Note that :attr:ClientResponse.cookies <aiohttp.ClientResponse.cookies> returns
  a :class:~http.cookies.SimpleCookie which uses the cookie name as a key, so
  only the last cookie with each name is accessible via this interface. All cookies
  can be accessed via :meth:ClientResponse.headers.getall('Set-Cookie') <multidict.MultiDictProxy.getall> if needed.

  Related issues and pull requests on GitHub:
  #4486, #11105, #11106.

Miscellaneous internal changes

• Avoided creating closed futures in ResponseHandler that will never be awaited -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11107.

• Downgraded the logging level for connector close errors from ERROR to DEBUG, as these are expected behavior with TLS 1.3 connections -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11114.

---

3.12.6

Bug fixes

• Fixed spurious "Future exception was never retrieved" warnings for connection lost errors when the connector is not closed -- by :user:bdraco.

  When connections are lost, the exception is now marked as retrieved since it is always propagated through other means, preventing unnecessary warnings in logs.

  Related issues and pull requests on GitHub:
  #11100.

---

3.12.5

This release failed to upload to PyPI because sigstore failed with 502 Server Error: Bad Gateway for url: https://rekor.sigstore.dev/api/v1/log/entries/. A new release will need to be made.

Features

• Added ssl_shutdown_timeout parameter to :py:class:~aiohttp.ClientSession and :py:class:~aiohttp.TCPConnector to control the grace period for SSL shutdown handshake on TLS connections. This helps prevent "connection reset" errors on the server side while avoiding excessive delays during connector cleanup. Note: This parameter only takes effect on Python 3.11+ -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11091, #11094.

Miscellaneous internal changes

• Improved performance of isinstance checks by using collections.abc types instead of typing module equivalents -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11085, #11088.

---

3.12.4

Bug fixes

• Fixed connector not waiting for connections to close before returning from :meth:~aiohttp.BaseConnector.close (partial backport of :pr:3733) -- by :user:atemate and :user:bdraco.

  Related issues and pull requests on GitHub:
  #1925, #11074.

---

3.12.3

Bug fixes

• Fixed memory leak in :py:meth:~aiohttp.CookieJar.filter_cookies that caused unbounded memory growth
  when making requests to different URL paths -- by :user:bdraco and :user:Cycloctane.

  Related issues and pull requests on GitHub:
  #11052, #11054.

---

3.12.2

Bug fixes

• Fixed Content-Length header not being set to 0 for non-GET requests with None body -- by :user:bdraco.

  Non-GET requests (POST, PUT, PATCH, DELETE) with None as the body now correctly set the Content-Length header to 0, matching the behavior of requests with empty bytes (b""). This regression was introduced in aiohttp 3.12.1.

  Related issues and pull requests on GitHub:
  #11035.

---

3.12.1

Features

• Added support for reusable request bodies to enable retries, redirects, and digest authentication -- by :user:bdraco and :user:GLGDLY.

  Most payloads can now be safely reused multiple times, fixing long-standing issues where POST requests with form data or file uploads would fail on redirects with errors like "Form data has been processed already" or "I/O operation on closed file". This also enables digest authentication to work with request bodies and allows retry mechanisms to resend requests without consuming the payload. Note that payloads derived from async iterables may still not be reusable in some cases.

  Related issues and pull requests on GitHub:
  #5530, #5577, #9201, #11017.

---

3.12.1rc0

Features

• Added support for reusable request bodies to enable retries, redirects, and digest authentication -- by :user:bdraco and :user:GLGDLY.

  Most payloads can now be safely reused multiple times, fixing long-standing issues where POST requests with form data or file uploads would fail on redirects with errors like "Form data has been processed already" or "I/O operation on closed file". This also enables digest authentication to work with request bodies and allows retry mechanisms to resend requests without consuming the payload. Note that payloads derived from async iterables may still not be reusable in some cases.

  Related issues and pull requests on GitHub:
  #5530, #5577, #9201, #11017.

---

3.12.0

Bug fixes

• Fixed :py:attr:~aiohttp.web.WebSocketResponse.prepared property to correctly reflect the prepared state, especially during timeout scenarios -- by :user:bdraco

  Related issues and pull requests on GitHub:
  #6009, #10988.

• Response is now always True, instead of using MutableMapping behaviour (False when map is empty)

  Related issues and pull requests on GitHub:
  #10119.

• Fixed connection reuse for file-like data payloads by ensuring buffer
  truncation respects content-length boundaries and preventing premature
  connection closure race -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #10325, #10915, #10941, #10943.

• Fixed pytest plugin to not use deprecated :py:mod:asyncio policy APIs.

  Related issues and pull requests on GitHub:
  #10851.

• Fixed :py:class:~aiohttp.resolver.AsyncResolver not using the loop argument in versions 3.x where it should still be supported -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #10951.

Features

• Added a comprehensive HTTP Digest Authentication client middleware (DigestAuthMiddleware)
  that implements RFC 7616. The middleware supports all standard hash algorithms
  (MD5, SHA, SHA-256, SHA-512) with session variants, handles both 'auth' and
  'auth-int' quality of protection options, and automatically manages the
  authentication flow by intercepting 401 responses and retrying with proper
  credentials -- by :user:feus4177, :user:TimMenninger, and :user:bdraco.

  Related issues and pull requests on GitHub:
  #2213, #10725.

• Added client middleware support -- by :user:bdraco and :user:Dreamsorcerer.

  This change allows users to add middleware to the client session and requests, enabling features like
  authentication, logging, and request/response modification without modifying the core
  request logic. Additionally, the session attribute was added to ClientRequest,
  allowing middleware to access the session for making additional requests.

  Related issues and pull requests on GitHub:
  #9732, #10902, #10945, #10952, #10959, #10968.

• Allow user setting zlib compression backend -- by :user:TimMenninger

  This change allows the user to call :func:aiohttp.set_zlib_backend() with the
  zlib compression module of their choice. Default behavior continues to use
  the builtin zlib library.

  Related issues and pull requests on GitHub:
  #9798.

• Added support for overriding the base URL with an absolute one in client sessions
  -- by :user:vivodi.

  Related issues and pull requests on GitHub:
  #10074.

• Added host parameter to aiohttp_server fixture -- by :user:christianwbrock.

  Related issues and pull requests on GitHub:
  #10120.

• Detect blocking calls in coroutines using BlockBuster -- by :user:cbornet.

  Related issues and pull requests on GitHub:
  #10433.

• Added socket_factory to :py:class:aiohttp.TCPConnector to allow specifying custom socket options
  -- by :user:TimMenninger.

  Related issues and pull requests on GitHub:
  #10474, #10520, #10961, #10962.

• Started building armv7l manylinux wheels -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #10797.

• Implemented shared DNS resolver management to fix excessive resolver object creation
  when using multiple client sessions. The new _DNSResolverManager singleton ensures
  only one DNSResolver object is created for default configurations, significantly
  reducing resource usage and improving performance for applications using multiple
  client sessions simultaneously -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #10847, #10923, #10946.

• Upgraded to LLHTTP 9.3.0 -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #10972.

• Optimized small HTTP requests/responses by coalescing headers and body into a single TCP packet -- by :user:bdraco.

  This change enhances network efficiency by reducing the number of packets sent for small HTTP payloads, improving latency and reducing overhead. Most importantly, this fixes compatibility with memory-constrained IoT devices that can only perform a single read operation and expect HTTP requests in one packet. The optimization uses zero-copy writelines when coalescing data and works with both regular and chunked transfer encoding.

  When aiohttp uses client middleware to communicate with an aiohttp server, connection reuse is more likely to occur since complete responses arrive in a single packet for small payloads.

  This aligns aiohttp with other popular HTTP clients that already coalesce small requests.

  Related issues and pull requests on GitHub:
  #10991.

Improved documentation

• Improved documentation for middleware by adding warnings and examples about
  request body stream consumption. The documentation now clearly explains that
  request body streams can only be read once and provides best practices for
  sharing parsed request data between middleware and handlers -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #2914.

Packaging updates and notes for downstreams

• Removed non SPDX-license description from setup.cfg -- by :user:devanshu-ziphq.

  Related issues and pull requests on GitHub:
  #10662.

• Added support for building against system llhttp library -- by :user:mgorny.

  This change adds support for :envvar:AIOHTTP_USE_SYSTEM_DEPS environment variable that
  can be used to build aiohttp against the system install of the llhttp library rather
  than the vendored one.

  Related issues and pull requests on GitHub:
  #10759.

• aiodns is now installed on Windows with speedups extra -- by :user:bdraco.

  As of aiodns 3.3.0, SelectorEventLoop is no longer required when using pycares 4.7.0 or later.

  Related issues and pull requests on GitHub:
  #10823.

• Fixed compatibility issue with Cython 3.1.1 -- by :user:bdraco

  Related issues and pull requests on GitHub:
  #10877.

Contributor-facing changes

• Sped up tests by disabling blockbuster fixture for test_static_file_huge and test_static_file_huge_cancel tests -- by :user:dikos1337.

  Related issues and pull requests on GitHub:
  #9705, #10761.

• Updated tests to avoid using deprecated :py:mod:asyncio policy APIs and
  make it compatible with Python 3.14.

  Related issues and pull requests on GitHub:
  #10851.

• Added Winloop to test suite to support in the future -- by :user:Vizonex.

  Related issues and pull requests on GitHub:
  #10922.

Miscellaneous internal changes

• Added support for the partitioned attribute in the set_cookie method.

  Related issues and pull requests on GitHub:
  #9870.

• Setting :attr:aiohttp.web.StreamResponse.last_modified to an unsupported type will now raise :exc:TypeError instead of silently failing -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #10146.

---