is the flash hash stored clientside or serverside?

all session data (flash is just a "modified session var") is stored on
the server. The only thing stored client side (unless you specificly
set it) is the session id and a session key to validate the user.