In what I believe to be a similar situation I have set a cookie on the user's machine with his/her authorization "level". When a user tries to access a page, I check the cookie. The cookie is encrypted so a clever user cannot see the value.