Do not trust either the names or the values of cookies. They're provided by the HTTP client and can easily be faked. This means:
Never pass a cookie value to the eval() function or the pickle module.
- Don't record filenames in a cookie and then later blithely open the path given by the cookie's value. At a minimum you must sanitize the path by checking that it doesn't contain '..' (e.g. the path "../../../../../etc/passwd" is unsafe).
- This applies to cookie names, too, so be careful when writing
code that does for name in request.cookies.keys(): ....