Copy unsafe setting from session cookie jar to ad-hoc request cookie jar (aio-libs#12271)

Krishnachaitanyakc · web-flow · commit e04da11f7a07 · 2026-03-25T14:27:36.000Z
diff --git a/CHANGES/12011.bugfix.rst b/CHANGES/12011.bugfix.rst
@@ -0,0 +1 @@
+Fixed ad-hoc cookies passed to individual requests not being sent when the session's cookie jar has ``unsafe=True`` and the target URL uses an IP address, by copying the ``unsafe`` setting from the session's cookie jar to the temporary cookie jar -- by :user:`Krishnachaitanyakc`.
diff --git a/aiohttp/abc.py b/aiohttp/abc.py
@@ -153,6 +153,11 @@ async def close(self) -> None:
 class AbstractCookieJar(Sized, Iterable[Morsel[str]]):
     """Abstract Cookie Jar."""
 
+    @property
+    @abstractmethod
+    def unsafe(self) -> bool:
+        """Return True if cookies can be used with IP addresses."""
+
     @property
     @abstractmethod
     def quote_cookie(self) -> bool:
diff --git a/aiohttp/client.py b/aiohttp/client.py
@@ -670,7 +670,8 @@ async def _request(
 
                     if cookies is not None:
                         tmp_cookie_jar = CookieJar(
-                            quote_cookie=self._cookie_jar.quote_cookie
+                            unsafe=self._cookie_jar.unsafe,
+                            quote_cookie=self._cookie_jar.quote_cookie,
                         )
                         tmp_cookie_jar.update_cookies(cookies)
                         req_cookies = tmp_cookie_jar.filter_cookies(url)
diff --git a/aiohttp/cookiejar.py b/aiohttp/cookiejar.py
@@ -106,6 +106,10 @@ def __init__(
         self._expire_heap: list[tuple[float, tuple[str, str, str]]] = []
         self._expirations: dict[tuple[str, str, str], float] = {}
 
+    @property
+    def unsafe(self) -> bool:
+        return self._unsafe
+
     @property
     def quote_cookie(self) -> bool:
         return self._quote_cookie
@@ -546,6 +550,10 @@ def __iter__(self) -> "Iterator[Morsel[str]]":
     def __len__(self) -> int:
         return 0
 
+    @property
+    def unsafe(self) -> bool:
+        return False
+
     @property
     def quote_cookie(self) -> bool:
         return True
diff --git a/tests/test_client_session.py b/tests/test_client_session.py
@@ -775,6 +775,10 @@ def __init__(self) -> None:
             self._clear_domain_mock = mock.Mock()
             self._items: list[Any] = []
 
+        @property
+        def unsafe(self) -> bool:
+            return False
+
         @property
         def quote_cookie(self) -> bool:
             return True
@@ -800,6 +804,7 @@ def __iter__(self) -> Iterator[Any]:
     jar = MockCookieJar()
 
     assert jar.quote_cookie is True
+    assert jar.unsafe is False
     assert len(jar) == 0
     assert list(jar) == []
     jar.clear()
@@ -857,6 +862,27 @@ async def handler(_: web.Request) -> web.Response:
     assert resp.request_info.headers.get("Cookie", "") == "name=val=foobar"
 
 
+async def test_cookies_with_unsafe_cookie_jar(
+    aiohttp_server: AiohttpServer,
+) -> None:
+    async def handler(request: web.Request) -> web.Response:
+        return web.Response()
+
+    app = web.Application()
+    app.router.add_route("GET", "/", handler)
+    server = await aiohttp_server(app)
+    jar = CookieJar(unsafe=True)
+    # Use an IP-based URL to verify that ad-hoc cookies are sent
+    # when the session cookie jar has unsafe=True.
+    ip_url = server.make_url("/")
+    assert ip_url.host is not None
+    assert ip_url.host.count(".") == 3  # Sanity check it looks like an IP address
+    cookies = {"adhoc": "value"}
+    async with aiohttp.ClientSession(cookie_jar=jar) as sess:
+        async with sess.request("GET", ip_url, cookies=cookies) as resp:
+            assert "adhoc=value" in resp.request_info.headers.get("Cookie", "")
+
+
 async def test_session_default_version(loop: asyncio.AbstractEventLoop) -> None:
     session = aiohttp.ClientSession()
     assert session.version == aiohttp.HttpVersion11
diff --git a/tests/test_cookiejar.py b/tests/test_cookiejar.py
@@ -761,6 +761,7 @@ async def test_path_filter_diff_folder_same_name_return_best_match_independent_f
 async def test_dummy_cookie_jar() -> None:
     cookie = SimpleCookie("foo=bar; Domain=example.com;")
     dummy_jar = DummyCookieJar()
+    assert dummy_jar.unsafe is False
     assert dummy_jar.quote_cookie is True
     assert len(dummy_jar) == 0
     dummy_jar.update_cookies(cookie)
@@ -1621,3 +1622,11 @@ def test_save_load_json_secure_cookies(tmp_path: Path) -> None:
     assert cookie["secure"] is True
     assert cookie["httponly"] is True
     assert cookie["domain"] == "example.com"
+
+
+async def test_cookie_jar_unsafe_property() -> None:
+    jar_safe = CookieJar()
+    assert jar_safe.unsafe is False
+
+    jar_unsafe = CookieJar(unsafe=True)
+    assert jar_unsafe.unsafe is True

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Fixed ad-hoc cookies passed to individual requests not being sent when the session's cookie jar has ``unsafe=True`` and the target URL uses an IP address, by copying the ``unsafe`` setting from the session's cookie jar to the temporary cookie jar -- by :user:`Krishnachaitanyakc`.
Original file line number	Diff line number	Diff line change
`@@ -670,7 +670,8 @@ async def _request(`
`670`	`670`
`671`	`671`	`if cookies is not None:`
`672`	`672`	`tmp_cookie_jar = CookieJar(`
`673`		`- quote_cookie=self._cookie_jar.quote_cookie`
	`673`	`+ unsafe=self._cookie_jar.unsafe,`
	`674`	`+ quote_cookie=self._cookie_jar.quote_cookie,`
`674`	`675`	`)`
`675`	`676`	`tmp_cookie_jar.update_cookies(cookies)`
`676`	`677`	`req_cookies = tmp_cookie_jar.filter_cookies(url)`