Skip to content

google's invalid g_state cookies cause aiohttp to stop parsing cookies after it #11632

Closed
#11724
Closed
google's invalid g_state cookies cause aiohttp to stop parsing cookies after it#11632
#11724
Labels
bug
@thehesiod

Description

@thehesiod
thehesiod
opened on Oct 10, 2025

Describe the bug

google creates invalid g_state cookies (https://stackoverflow.com/questions/66864766/one-tap-login-g-state-cookie-is-not-parseable-on-http-cookies-simplecookie) which causes aiohttp._cookie_helpers.parse_cookie_header to not match on that key, and then break out and not return any more of the keys, and even worse without any warning.

To Reproduce

  1. Implement server with route that echos back cookies:
    async def echo_cookies(self, req):
        # Return the cookie names as parsed by aiohttp
        return json_response({
            'cookie_names': list(req.cookies.keys()),
            'cookies': dict(req.cookies),
        })
  1. Use client to send cookies:
        cookie_header = (
            '_ga=ga; '
            'ajs_anonymous_id=0anonymous; '
            'analytics_session_id=session; '
            'cookies-analytics=true; '
            'cookies-functional=true; '
            'cookies-marketing=true; '
            'cookies-preferences=true; '
            'g_state={"i_l":0,"i_ll":12345,"i_b":"blah"}; '
            'analytics_session_id.last_access=1760128947692; '
            'landingPageURLRaw=landingPageURLRaw; '
            'landingPageURL=landingPageURL; '
            'referrerPageURLRaw=; '
            'referrerPageURL=; '
            'formURLRaw=formURLRaw; '
            'formURL=formURL; '
            'fbnAuthExpressCheckout=fbnAuthExpressCheckout; '
            'is_express_checkout=1; '
        )

        resp = await self.client.get('/echo-cookies', headers={'Cookie': cookie_header})
        self.assertEqual(resp.status, 200)
        data = await resp.json()

note that everything after g_state is not returned.

Expected behavior

Given that presumably chrome can parse this, aiohttp should as well

Logs/tracebacks

g_state and everything after it is not returned

Python Version

Python 3.11.1

aiohttp Version

Name: aiohttp
Version: 3.12.15
Summary: Async http client/server framework (asyncio)
Home-page: https://github.com/aio-libs/aiohttp
Author: 
Author-email: 
License: Apache-2.0 AND MIT
Location: /Users/alexmohr/.local/share/uv/venv/fbn.com/api/commodities/lib/python3.11/site-packages
Requires: aiohappyeyeballs, aiosignal, attrs, frozenlist, multidict, propcache, yarl

multidict Version

Name: multidict
Version: 6.6.4
Summary: multidict implementation
Home-page: https://github.com/aio-libs/multidict
Author: Andrew Svetlov
Author-email: andrew.svetlov@gmail.com
License: Apache License 2.0

propcache Version

Name: propcache
Version: 0.3.2
Summary: Accelerated property cache
Home-page: https://github.com/aio-libs/propcache
Author: Andrew Svetlov
Author-email: andrew.svetlov@gmail.com
License: Apache-2.0

yarl Version

Name: yarl
Version: 1.20.1
Summary: Yet another URL library
Home-page: https://github.com/aio-libs/yarl
Author: Andrew Svetlov
Author-email: andrew.svetlov@gmail.com
License: Apache-2.0

OS

OSX 26.0.1 (25A362)

Related component

Server

Additional context

No response

Code of Conduct

  • I agree to follow the aio-libs Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions