No one has access unless they have your password or your active browser session data.
Your “login state” consists of 2 pieces of information. A nonce and a token. The nonce is a 44 character string generated specifically for you when you try to log in and changes every time you try to log in. The nonce is used to hash your password[1] into an unrecognisable string which is your token.
Your browser stores these while your session is active. Without the token and nonce anyone visiting the GUI are still prompted to log in.
Any request you make to the server, after you logged in, will include the nonce and the token to authenticate. Since the nonce changes with every log in attempt the token will change every login and the server can validate your session.
This method means you never send your password to the server, so no one can see it in transit and use it to log in later… But it does mean that if you communicate over unencrypted HTTP someone can copy your nonce and token and “be logged in” with the server while your session is active.
[1] Technically both nonce and salt strings are used for hashing, but for this explanation that just introduces confusion.