How to handle authentication in PHP REST web service?

I've read that a good way to write web services to be consumed from mobile apps is to avoid SOAP (too verbose) and to use REST. In many REST examples, I have seen it is better to avoid sessions du开发者_如何学编程e to the stateless nature of REST. But how can I assure security when invoking my web service? I would like to make a "login" call than pass a session_id/token to the next web service call. How can I do it?

The cleanest way would be using HTTP authentication. While that wouldn't go by the login+sessionid way you mentioned it would be much cleaner and more straightforward (API calls do not related on other API calls and clients do not need to expect session timeouts etc.)

You can pass user token (and session, or any other auth data if you need it) in a json request like:

{"auth": {"session_id": "abc", "token":"123"},
 "data": "your request data"
}

If you are crazy about security you can generate a new token after each user login and even have life time for tokens.