Use session or cookie-WebService security policy in WebService

Now we are developing a project. The business logic layer uses WebService, and the client has flex and ASP. net, flex, and ASP. all access to all business logic databases of. Net calls methods in WebService (as if flex cannot directly access the database, so WebService can only be used). Now there is a problem, this is the permission issue in WebService. For example, I have a login method in WebService and a changepwd method to change the user password, if I want to call the changepwd method, I must determine whether the user is login, therefore, in the login method, when the user successfully logs in, the sesssion user ID is saved or the cookie is used to uniquely identify the user, then, in the changepwd method, I first judge whether the accessed user has a session or has a cookie ID. If so, I can modify the current login password of the user, however A problem occurs when the login is provided. After successfully accessing the user's login and session the current user's ID, the session is lost when the user calls the changepwd method again, the reason is that I did not directly open IE to access the WebService page, and then call that WebService method at the point, so that I can verify it successfully. However, if I add a WebService reference to my project, after the reference is successful. net will automatically generate an app_webreferences folder to save the referenced WebService WSDL and other information. When we call the WebService, We will directly call the login or changepwd method after instantiating it, however, if I call this method in this way, a user ID can be session after login is successfully called, but it cannot be successful after changepwd is called, because I have determined whether the session exists in changepwd, as a result, the session does not exist. After successfully logging in, the session user ID does not exist, but it does not exist when changepwd is called for the second time... I also lost my use of coookie. The test showed that the method called in WebService can be successfully accessed on the page and cookie can be implanted, however, when I add a WebService reference to a project and call the login method, no cookie is returned. However, no cookie is found in the temporary folder of the webpage or in the folder of the cookie, for the second time, when changepwd is called, a cookie does not exist when I determine my identity.
I read a lot of cookies and sessions on the Internet, but few of them can be applied in WebService, some people say that they want to write a cookiecontainer cookie container on the client to save some cookies passed back by WebService, so they will not be lost, but there is a very serious problem that my client must also be flex, if. net, of course it's okay, I'm in. net directly determines the session or cookie is very convenient, and there is no loss problem, it is not necessary to determine the permission in the WebService, however, my WebService client must also be flex. Flex does not seem to be capable of permission processing, and databases cannot be accessed directly. Therefore, we need to call WebService, all I want to put the permission processing in WebService. If the client does not care about it, it will be called directly. I will verify it in WebService. If the verification passes, it will be executed. If the verification fails, it will not be executed, but when I took it for granted, I encountered the above problems. I was really anxious, Because I just got into the company, and then I had to catch up with projects in the company to create an e-commerce website. I wanted to create an Asp.net version and a flex version. All the business logic was completely called WebService, I was in charge of WebService, And I encountered this headache at the beginning. So please help me think about it. I think it's a cainiao and I can't think of other methods. Now it's really anxious, therefore, please help me out and pay attention to it. Please forgive me for occupying the homepage.

Supplement: basically, I can confirm that the business logic must be written as WebService, because our manager said that not only will flex use webservce in our OA system next time, but WebService can be used universally, therefore, you can only use session or cookie for verification in WebService. Please help me find a solution here. Thank you !!! (If you are willing to help me with the test, you can leave a message asking me to test WebService. I have mounted some of my WebServices to the Internet)