Do not trust either the names or the values of cookies. They're provided by the HTTP client and can easily be faked. This means:

• Never pass a cookie value to the eval() function or the pickle module.

• Don't record filenames in a cookie and then later blithely open the path given by the cookie's value. At a minimum you must sanitize the path by checking that it doesn't contain '..' (e.g. the path "../../../../../etc/passwd" is unsafe).
• This applies to cookie names, too, so be careful when writing

  code that does for name in request.cookies.keys(): ....