When the app user launches the app for the first time, he will be shown the login page. If the user submits invalid credentials, he will not be allowed to proceed past this page. If the user submits valid credentials, the server should return a successful response code (200) and a "Set-Cookie" attribute in the response headers. The app will save this info and supply it on any subsequent Flex AppBlock requests.
When a cookie becomes invalid, the server should give a 401 response code (Unauthenticated). When that happens, the app will show the login page and the user will not be able to proceed until he supplies valid credentials.