Constructing cookies from user input can allow an attacker to control a user's cookie. This may lead to a session fixation attack. Additionally, client code may not expect a cookie to contain attacker-controlled data, and fail to sanitize it for common vulnerabilities such as Cross Site Scripting (XSS). An attacker manipulating the raw cookie header may additionally be able to set cookie attributes such as HttpOnly to insecure values.

Do not use raw user input to construct cookies.

In the following cases, a cookie is constructed for a Flask response using user input. The first uses set_cookie, and the second sets a cookie's raw value through the set-cookie header.

Wikipedia - Session Fixation.