That’s because of a cross-site scripting vulnerability.

Unfortunately it also looks like a bug in Lemmy-ui keeps your stale session cookie even after you’ve been logged out. If you’re having trouble staying logged in, login and then immediately logout. After you login again, it should be persistent, but if not, clear your cookies and go from there.