User-provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing cookies directly from tainted data
enables attackers to set the session identifier to a known value, allowing the attacker to share the session with the victim. Successful attacks might
result in unauthorized access to sensitive information, for example if the session identifier is not regenerated when the victim authenticates.
Typically, the solution to prevent this type of attack is to restrict the cookies that can be influenced with an allow-list.
Noncompliant Code Example
from django.http import HttpResponse
def index(request):
value = request.GET.get("value")
response = HttpResponse("")
response["Set-Cookie"] = value # Noncompliant
response.set_cookie("sessionid", value) # Noncompliant
return response
Compliant Solution
from django.http import HttpResponse
def index(request):
value = request.GET.get("value")
response = HttpResponse("")
response["X-Data"] = value
response.set_cookie("data", value)
return response
See