Looking at John, it struck me with two possibilities. One is, it might be referring to John for Bruteforce or the other might be the username for the login page. I tried both lol and to my surprise, both worked. First, I tried decoding the cookies by brute-forcing it with Flask-Unsign as the source also mentioned “Stop eating all the cookies”.