Fix cookie header parser ignoring reserved names

[bdraco]

What do these changes do?

This PR fixes the Cookie header parser to correctly handle reserved attribute names (like path, domain, secure) as regular cookies, per RFC 6265 Section 5.4.

Previously, Cookie headers like session=abc123; path=/api; secure=true would only parse session=abc123, incorrectly ignoring path and secure. Now all three are correctly parsed as cookies.

The fix:

• Adds a new parse_cookie_header() function specifically for RFC 6265 compliant Cookie header parsing
• Renames the existing parse_cookie_headers() to parse_set_cookie_headers() for clarity
• Updates all Cookie header parsing locations to use the new parser

Are there changes in behavior for the user?

Yes, Cookie headers containing reserved attribute names will now be parsed differently:

Before:

# Cookie: "session=abc123; path=/api; secure=true"
request.cookies == {"session": "abc123"}  # path and secure ignored

After:

# Cookie: "session=abc123; path=/api; secure=true"
request.cookies == {"session": "abc123", "path": "/api", "secure": "true"}

This is the correct behavior per RFC 6265 and matches what web browsers do.

Is it a substantial burden for the maintainers to support this?

No. This change:

• Simplifies the cookie parsing logic by having separate parsers for different header types
• Makes the code more RFC compliant and easier to understand
• Uses the same robust regex-based parsing approach as the existing parser
• Has comprehensive test coverage

Related issue number

This has likely been an issue since the beginning, as we previously used Python's SimpleCookie which has the same incorrect behavior. Now that we have our own parser (from PR #11112), we can fix this RFC compliance issue.

Checklist

• I think the code is well written
• Unit tests for the changes exist
• Documentation reflects the changes
• If you provide code modification, please add yourself to CONTRIBUTORS.txt
  • The format is <Name> <Surname>.
  • Please keep alphabetical order, the file is sorted by names.
• Add a new news fragment into the CHANGES/ folder

  • name it <issue_or_pr_num>.<type>.rst (e.g. 588.bugfix.rst)

  • if you don't have an issue number, change it to the pull request
    number after creating the PR

    • .bugfix: A bug fix for something the maintainers deemed an
      improper undesired behavior that got corrected to match
      pre-agreed expectations.
    • .feature: A new behavior, public APIs. That sort of stuff.
    • .deprecation: A declaration of future API removals and breaking
      changes in behavior.
    • .breaking: When something public is removed in a breaking way.
      Could be deprecated in an earlier release.
    • .doc: Notable updates to the documentation structure or build
      process.
    • .packaging: Notes for downstreams about unobvious side effects
      and tooling. Changes in the test invocation considerations and
      runtime assumptions.
    • .contrib: Stuff that affects the contributor experience. e.g.
      Running tests, building the docs, setting up the development
      environment.
    • .misc: Changes that are hard to assign to any of the above
      categories.

  • Make sure to use full sentences with correct case and punctuation,
    for example:

    Fixed issue with non-ascii contents in doctest text files
    -- by :user:`contributor-gh-handle`.

    Use the past tense or the present tense a non-imperative mood,
    referring to what's changed compared to the last released version
    of this project.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.86%. Comparing base (85b0df4) to head (966d200).
Report is 1 commits behind head on master.

✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff            @@
##           master   #11178    +/-   ##
========================================
  Coverage   98.86%   98.86%            
========================================
  Files         131      131            
  Lines       43010    43220   +210     
  Branches     2316     2320     +4     
========================================
+ Hits        42520    42730   +210     
  Misses        340      340            
  Partials      150      150            

Flag	Coverage Δ
CI-GHA	98.75% <100.00%> (+<0.01%)	⬆️
OS-Linux	98.48% <100.00%> (+<0.01%)	⬆️
OS-Windows	96.82% <100.00%> (+0.01%)	⬆️
OS-macOS	97.71% <100.00%> (+0.01%)	⬆️
Py-3.10.11	97.36% <100.00%> (+0.01%)	⬆️
Py-3.10.17	97.85% <100.00%> (+0.60%)	⬆️
Py-3.10.18	?
Py-3.11.12	98.03% <100.00%> (+0.05%)	⬆️
Py-3.11.9	97.55% <100.00%> (+0.01%)	⬆️
Py-3.12.10	98.41% <100.00%> (+<0.01%)	⬆️
Py-3.13.3	98.39% <100.00%> (+<0.01%)	⬆️
Py-3.9.13	97.24% <100.00%> (+0.01%)	⬆️
Py-3.9.22	97.72% <100.00%> (+<0.01%)	⬆️
Py-pypy7.3.16	85.07% <100.00%> (-3.46%)	⬇️
VM-macos	97.71% <100.00%> (+0.01%)	⬆️
VM-ubuntu	98.48% <100.00%> (+<0.01%)	⬆️
VM-windows	96.82% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[codspeed-hq]

CodSpeed Performance Report

Merging #11178 will not alter performance

_{Comparing parse_cookie_headers_ignore_attrs (966d200) with master (85b0df4)}

Summary

✅ 59 untouched benchmarks

[bdraco]

now matches requests.session behavior. before SimpleCookie().load would always treat as attributes

[patchback]

Backport to 3.12: 💚 backport PR created

✅ Backport PR branch: patchback/backports/3.12/915338c7b02d843114e05a94508e6d91921e88d7/pr-11178

Backported as #11181

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

[patchback]

Backport to 3.13: 💚 backport PR created

✅ Backport PR branch: patchback/backports/3.13/915338c7b02d843114e05a94508e6d91921e88d7/pr-11178

Backported as #11182

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.