The hints indicate that the password is not checked for non-admin users, so I
logged in with an arbitrary username and no password, then looked at my cookies
to make sense of how the session is persisted :

| Cookie name | Cookie value |
|-------------|--------------|
| admin | False |
| password | |
| username | iodbh |

So the cookies are plaintext. If we just change the `admin`'s cookie value to
`True` and reload the page, the flag is displayed :
`picoCTF{l0g1ns_ar3nt_r34l_82e795f4}`