I would like to suggest changing the content of the cookies x_mtok to 'LoginToken' stored in local storage. Alternatively, make this change optional by selecting flags in the global configuration for the package (not sure if there is any).

Using session key stored in the DB would make it easier to recognize the user. If you allow cookie parameters to be defined in the global configuration, it is also possible to separate the file server from the rest.

Of course, if the change gains the interest and consent of the owners of the package, I will be happy to deliver the change.

My reasons for change:
The package doesn't work since my application uses multiple servers + load balancer. Because of reasons I won't use sticky sessions.