Writing authentication system

I am currently writing the backend for a service which has 3 clients: browser, android native and iphone native. I am having a little trouble with coming up with an authentication system since I don't know what can really be done on the clients.

I am using django + twisted for the backend.

Basically, I am going to be writing RestfulAPIs to open up for the clients on both phones to call.

Now the real question is, how should I come up with an authentication system?

I have thought about using sessionids, this works very well with the browser and I can use django's integrated app for that.

However, I don't know if it's possible for both开发者_如何学运维 the iphone and android to obtain a unique sessionid on the handset. Should I write an API call to distribute unique sessionids?

if that's the case, is it possible for me to still use django's authentication system since a lot of the stuff here are customized? ( I am not even using a rdbms - I am sticking with mongodb, so I was on the verge of dropping django's authentication app ftm).

I have looked at foursquare's API and their basic auth method requires you to pass in user:password in every http request header. That adds 1 additional authentication each call which can kind of seem excessive.

Please provide any kind of advise that you could give.

You might look at digitally signed RESTful requests, such as what is done with Amazon S3.