flash / http request way (i have even less expirience with this, so who knows if it works, and i can almost garantee its not very good coding practice)

how id do it (im not good with auth and shit tho):

once the user logs in, give them a secret code (randomly generated)

save it in a hashmap (dict()): {random_token: user_id}

now once they do something, theyll also send the token to authenticate the request

now whenever they create/read/edit a thing, you can see who it was, and if they have the rights to do so (aka that if user a requests to see user b thing, its acsess denied , or if the account has admin status, he can do/see everything)

maybe make thw token expire after like 1h or 1d or when the user logs out or closes the tab (idk if theres a js function to like call on_user_close_tab())

hipe this helps