In the session_tokens meta_value I am seing a long hex string (as the top key).
If you parse the cookie of a logged in user:
wp_parse_auth_cookie('', 'logged_in');
You'll get something like this:
Array
(
[username] => (username)
[expiration] => (timestamp)
[token] => (randomstring1)
[hmac] => (randomstring2)
[scheme] => logged_in
)The token randomstring1 is run through a hash function (either sha256 or sha1) and that's the value you're seeing in the database.
Is it related to the wordpress_logged_in_****** stuff in the cookie?
The part after wordpress_logged_in is actually the site URL hashed:
md5(get_site_option('siteurl'));