What is the purpose of having a token in cookies?

WordPress utilizes cookies for better security, and I’ve been trying to understand how exactly this could make a WordPress website more secure, and I found this article . There’s a pretty decent explanation, but it concerns the 3.9 version, so it’s a little bit outdated.

I compared the sources of the current WordPress code and from the examples in the article, and there’s one thing I can’t understand.

The cookie looked like this:

Set-Cookie: wordpress_urlhash=user|timestamp|hash

In that article, the guy said that we can predict wordpress_urlhash, user, timestamp and also the hash, so basically the whole cookie string, but only when we didn’t implement the unique keys/salts.

The problem is that the cookie was a little bit different from the one we use now — it didn’t have the token:

Set-Cookie: wordpress_urlhash=user|timestamp|token|hash

Does anyone know what the token was introduced for, and whether it’s predictable? What’s the purpose of it because we have the unique keys/salts, isn’t it?

According to the WP_Session_Tokens class documentation, this token is used to validate the user’s session. It does this by checking the provided token against the existing session tokens stored in the user meta table for that user.

Session tokens are generated using the wp_generate_password function, and are 43 characters long. So no, it should not be predictable.

You can check out the source to learn more about how session tokens are created, and how cookies are verified.