Hi, I have a question:

In Flash, I have the ability to save certain info onto the server. Now the problem is the user needs to be authenticated as admin in order to do so.

I can't use sessions, since if you work longer than 20 minutes in the Flash application, the session is gone.

The way I see it, I have 2 possibilities: 1. passing a parameter (bIsAdmin) to Flash from the Website. 2. Launch a http-get request, to get this value (bIsAdmin) from an ashx handler on application startup, when the session has not yet exired.

In my opinion, both possibilities are not really secure... So, Which one is safer, 1 or 2? Or does anybody have a better idea ?

In my opinion, 1 is safer, because with 2, you can just switch a packet tamperer in between, and bang, you're admin, with permission to save (or overwrite, =delete) anything.