Long story short

In my use case, I have a webserver (on which I have no control) which sends me, in a single request, two Set-Cookie headers with the same cookie name. The first one contains an empty value and a expires header in the past, to remove the cookie, and a second one which define a value, but without header, to define it as a session cookie.

The problem is that in the response, the two cookies are "mixed" in a single one with the value from the second Set-Cookie and the expires from the first one. Which makes the cookie deleted by the cookie jar in the session, as Expires is in the past.

Expected behaviour

Response and session cookie jar should contain the second cookie (at least).

Actual behaviour

Response contains a cookie with the value of the second cookie, but the expires from the first one.
In the session, the cookie is removed.

Steps to reproduce

1. Find a server which send a cookie twice, or use simple gist example.
2. Use aiohttp to send a request to that URL
3. Observe wrong cookie content

Your environment

aiohttp==3.6.2

Workaround

From what I found, this seems to be caused by how SimpleCookie loads cookies.
If you load the same cookie name twice, the two cookies are merged in a single one. As I don't know if this is an expected behaviour from http.cookies.BaseCookie, I tried to simply remove the cookie before adding the new one:

        # cookies
        for hdr in self.headers.getall(hdrs.SET_COOKIE, ()):
            try:
                cookie_name = hdr.split('=', 1)[0]
                if cookie_name in self.cookies:
                    dict.__delitem__(self.cookies, cookie_name)
                self.cookies.load(hdr)
            except CookieError as exc:
                client_logger.warning(
                    'Can not load response cookies: %s', exc)

This is not a full fix of this problem, as the problem may occur with something different than the Expires header, but it should prevent wrong "mixed" cookies.