In picoCTF’s “Power Cookie” challenge, a website relies on a client-side isAdmin cookie to determine user privileges. By changing its value from 0 to 1, users can escalate access and retrieve the flag—highlighting why authentication and authorization must always be validated on the server, not trusted to browser-stored data.