The easiest way is to require that all communication go through HTTPS (therefore, the data is confidential, no one except the client and server can see this), and use a simple username and password for each request inside this secure connection. This is practically impossible to do in practice (the username and password do transmit the connection as an HTTP header, which is OK, because we use HTTPS), and the server can check every time the user is allowed. You do not need to worry about SSL handshakes; what is responsible for the SSL / HTTPS level (and why is HTTPS / SSL good).
Alternatively, the login can be performed by any method and generate some kind of magic number (for example, a UUID or a cryptographic hash of a random number and username), which is stored in the session cookie. Subsequent requests can simply verify that the magic number is the one that it recognizes from the beginning of the session (and that too much time has passed since it was issued); logout just forgets the magic number on the server side (and asks the client to forget too). This is a bit more work to implement this, but still not difficult, and there are libraries for the server side to handle donkey work.
The first option is especially good for where you write something that will be used by other programs, since it is very easy to implement. The second option is better when the client is a web browser, as it gives users more control when their browser is enabled (software APIs are not really needed). Whenever the client will be a browser, you also need to take care of protection against other types of attacks (for example, various types of fake requests), but this is practically independent of everything else.