Both are in the cookie. Series is staying consistent across logins, token is updated on every successful authentication. This way it can be detected if the token of a series has been used, and therefore a cookie has been used twice.
So in a first step, we could hash the series, which already prevents the attack. Once symfony/symfony#27910 has been merged, we can also hash the value, however, given that this is a BC break, it can only be implemented in Symfony 5.