What I mean is, when they regenerated the HTTP cookie from other sources, they generated the exact same cookie, so you could tell.
If they change it to say `encrypt(tracking number + nonce)`, then it will be effectively the same cookie, but you wont be able to tell from the client perspective.
Many times don't regenerate the exact same cookie. Many of them generate a different cookie to avoid detection many of them will have random names and other "random" identifiers, some of them will even attempt to hide them selves as GA cookies(UTM UTA etc), however they will always embed the same identifiable information they've retrieved from other stores in your browser.
If they change it to say `encrypt(tracking number + nonce)`, then it will be effectively the same cookie, but you wont be able to tell from the client perspective.