Restlet, GWT and Sessions

What is the best way to have a session between a Restlet Java API and GWT? In my app the user will login with a username and password and if it successfully authenticates the userID is returned. This is then stored in a cookie and used in calls to the API. This is obviously completely insecure because someone could just change the userID and start updating and retrieving another user.

Is the best way to also hand a token back with the userID and the API cal开发者_如何学Pythonls must contain that token?

The token is a good way and I've seen it in a lot of implementations. Usually, this is handed over as a simple parameter for each request. Following the RESTful idea you can also just include the credentials in the HTTP request each time.