Tags: web otp stream-cipher 

Rating: 0

tl;dr:
1. Notice that there is some stream cipher underneath
2. Extract some of the keystream and notice it repeats itself
3. Decrypt the whole cookie

Full writeup: https://github.com/p4-team/ctf/tree/master/2017-11-09-defcamp-final/hack_tac_toe