[PR aio-libs#12271/e04da11f backport][3.14] Copy unsafe setting from session cookie jar to ad-hoc request cookie jar (aio-libs#12274)

patchback[bot] · Krishnachaitanyakc · web-flow · commit 6a86e0f87e18 · 2026-03-25T14:49:22.000Z
**This is a backport of PR aio-libs#12271 as merged into master (e04da11).** Co-authored-by: Krishna Chaitanya <krishnabkc15@gmail.com>
diff --git a/CHANGES/12011.bugfix.rst b/CHANGES/12011.bugfix.rst
@@ -0,0 +1 @@
+Fixed ad-hoc cookies passed to individual requests not being sent when the session's cookie jar has ``unsafe=True`` and the target URL uses an IP address, by copying the ``unsafe`` setting from the session's cookie jar to the temporary cookie jar -- by :user:`Krishnachaitanyakc`.
diff --git a/aiohttp/abc.py b/aiohttp/abc.py
@@ -163,6 +163,11 @@ class AbstractCookieJar(Sized, IterableBase):
     def __init__(self, *, loop: asyncio.AbstractEventLoop | None = None) -> None:
         self._loop = loop or asyncio.get_running_loop()
 
+    @property
+    @abstractmethod
+    def unsafe(self) -> bool:
+        """Return True if cookies can be used with IP addresses."""
+
     @property
     @abstractmethod
     def quote_cookie(self) -> bool:
diff --git a/aiohttp/client.py b/aiohttp/client.py
@@ -724,7 +724,8 @@ async def _request(
 
                     if cookies is not None:
                         tmp_cookie_jar = CookieJar(
-                            quote_cookie=self._cookie_jar.quote_cookie
+                            unsafe=self._cookie_jar.unsafe,
+                            quote_cookie=self._cookie_jar.quote_cookie,
                         )
                         tmp_cookie_jar.update_cookies(cookies)
                         req_cookies = tmp_cookie_jar.filter_cookies(url)
diff --git a/aiohttp/cookiejar.py b/aiohttp/cookiejar.py
@@ -143,6 +143,10 @@ def __init__(
         self._expire_heap: list[tuple[float, tuple[str, str, str]]] = []
         self._expirations: dict[tuple[str, str, str], float] = {}
 
+    @property
+    def unsafe(self) -> bool:
+        return self._unsafe
+
     @property
     def quote_cookie(self) -> bool:
         return self._quote_cookie
@@ -600,6 +604,10 @@ def __iter__(self) -> "Iterator[Morsel[str]]":
     def __len__(self) -> int:
         return 0
 
+    @property
+    def unsafe(self) -> bool:
+        return False
+
     @property
     def quote_cookie(self) -> bool:
         return True
diff --git a/tests/test_client_session.py b/tests/test_client_session.py
@@ -747,6 +747,10 @@ def __init__(self) -> None:
             self._clear_domain_mock = mock.Mock()
             self._items: list[Any] = []
 
+        @property
+        def unsafe(self) -> bool:
+            return False
+
         @property
         def quote_cookie(self) -> bool:
             return True
@@ -772,6 +776,7 @@ def __iter__(self) -> Iterator[Any]:
     jar = MockCookieJar()
 
     assert jar.quote_cookie is True
+    assert jar.unsafe is False
     assert len(jar) == 0
     assert list(jar) == []
     jar.clear()
@@ -828,6 +833,27 @@ async def handler(_: web.Request) -> web.Response:
     assert resp.request_info.headers.get("Cookie", "") == "name=val=foobar"
 
 
+async def test_cookies_with_unsafe_cookie_jar(
+    aiohttp_server: AiohttpServer,
+) -> None:
+    async def handler(request: web.Request) -> web.Response:
+        return web.Response()
+
+    app = web.Application()
+    app.router.add_route("GET", "/", handler)
+    server = await aiohttp_server(app)
+    jar = CookieJar(unsafe=True)
+    # Use an IP-based URL to verify that ad-hoc cookies are sent
+    # when the session cookie jar has unsafe=True.
+    ip_url = server.make_url("/")
+    assert ip_url.host is not None
+    assert ip_url.host.count(".") == 3  # Sanity check it looks like an IP address
+    cookies = {"adhoc": "value"}
+    async with aiohttp.ClientSession(cookie_jar=jar) as sess:
+        async with sess.request("GET", ip_url, cookies=cookies) as resp:
+            assert "adhoc=value" in resp.request_info.headers.get("Cookie", "")
+
+
 async def test_session_default_version(loop: asyncio.AbstractEventLoop) -> None:
     session = aiohttp.ClientSession()
     assert session.version == aiohttp.HttpVersion11
diff --git a/tests/test_cookiejar.py b/tests/test_cookiejar.py
@@ -827,6 +827,7 @@ async def make_jar():
 async def test_dummy_cookie_jar() -> None:
     cookie = SimpleCookie("foo=bar; Domain=example.com;")
     dummy_jar = DummyCookieJar()
+    assert dummy_jar.unsafe is False
     assert dummy_jar.quote_cookie is True
     assert len(dummy_jar) == 0
     dummy_jar.update_cookies(cookie)
@@ -1809,3 +1810,11 @@ async def test_save_load_json_secure_cookies(tmp_path: Path) -> None:
     assert cookie["secure"] is True
     assert cookie["httponly"] is True
     assert cookie["domain"] == "example.com"
+
+
+async def test_cookie_jar_unsafe_property() -> None:
+    jar_safe = CookieJar()
+    assert jar_safe.unsafe is False
+
+    jar_unsafe = CookieJar(unsafe=True)
+    assert jar_unsafe.unsafe is True

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Fixed ad-hoc cookies passed to individual requests not being sent when the session's cookie jar has ``unsafe=True`` and the target URL uses an IP address, by copying the ``unsafe`` setting from the session's cookie jar to the temporary cookie jar -- by :user:`Krishnachaitanyakc`.
Original file line number	Diff line number	Diff line change
`@@ -724,7 +724,8 @@ async def _request(`
`724`	`724`
`725`	`725`	`if cookies is not None:`
`726`	`726`	`tmp_cookie_jar = CookieJar(`
`727`		`- quote_cookie=self._cookie_jar.quote_cookie`
	`727`	`+ unsafe=self._cookie_jar.unsafe,`
	`728`	`+ quote_cookie=self._cookie_jar.quote_cookie,`
`728`	`729`	`)`
`729`	`730`	`tmp_cookie_jar.update_cookies(cookies)`
`730`	`731`	`req_cookies = tmp_cookie_jar.filter_cookies(url)`