[Bug] Library expects all cookies to be URL encoded

[qgolsteyn]

There is some historical ambiguity as to what the cookie value can contain. While there is a convention that the cookie value should be URL encoded, the specs don't seem to enforce this. lambda-api expects that the cookie value be URL encoded string. Any cookie containing a "%" character without a valid sequence will fail cookie decoding and can create an exception and a denial of service.

Fixing this is a bit tricky, as we would still want to correctly URL decode any standard cookie value while supporting non-standard ones. It might be worth discussing the correct solution here.

Some reference I found regarding the permitted characters in a cookie value:

• https://stackoverflow.com/a/1969339
• https://stackoverflow.com/questions/49205195/should-cookie-values-be-url-encoded